Web Application Security
Back to list
Re: Forgotten Password
Aug 21 2013 08:16AM
saghar estehghari (s estehghari gmail com)
Thanks for the all the replies :)
@Clemens :The system is semi-trusted. This implies that we can't
access to user's data while he is offline (the data is encrypted at
rest). This is because the client is considered as a weakest link and
it is complicated for him to handle the keys securely and to do the
encryption/decryption. So having this in mind, we can't be involved in
any encryption and decryption related to user's data that is saved on
the server!! And that's why I proposed the solution like that
(encrypting the pass with server's key but saving it on client side).
In this case an internal attacker, who has access to DBMS and server
keys, can't decrypt the user's data (while the user is offline).
@Tudor: However, I know that my proposed solution has it's own
deficiencies, as if the user looses the certificate, there is no other
soluition for password retrival or as you said if an inside attacker
who has access to server keys perfoms a targeted attack and steels the
certificate then he can decrypt the data.
So I have another idea in mind which might be less complicated and
more secure than the previous one. At the registration stage we can
provide the user with a 3 challenge response questions, putting all
the responses together creates a string of length minimum 10
characters. The using PBKDF2 over the responses + salt can create a
key with which we can encrypt the password (this key can be paired
with our key. this means that the IT manager must be involved in this
process). So at the password retrival stage the same question will be
asked and the if correctly answered the old pass will be retrived and
user will be asked to choose a new password.
Any feedback will be appreciated :)
On Wed, Aug 21, 2013 at 3:28 AM, Clemens Lode
<clemens.lode (at) medisanaspace (dot) com [email concealed]> wrote:
> Hi Saghar,
> That depends on your risk analysis and requirements. If e.g. nobody at your
> company may access the encrypted data, then obviously you need to save the
> key at some other place. The ideal place is in the user's head. With your
> solution, you allow anyone with access to the person's computer (a less
> secure system than your servers - hopefully) access to the encrypted files
> on your servers.
> I guess it's better to provide that security for the user on your own
> premises. For example with a computer mostly disconnected from any network
> as a backup system for keys and only offline read access. And secured by
> asking for additional details from the user (e.g. copy of identity card if
> you will).
> If the user doesn't trust you, then your business concept is wrong. Because
> even if you don't have any keys saved on your system (in the solution you
> are describing), you still have the keys for decryption temporarily. Then
> better do all the encryption on the user's side and use the password merely
> for authentication.
> Best regards,
> On Aug 21, 2013 2:33 AM, "saghar estehghari" <s.estehghari (at) gmail (dot) com [email concealed]> wrote:
>> In the system that I'm currently working on, the users authenticate
>> themselves using username and password. As this is kind of a secure
>> file sharing system, each user has a key that is drived from his
>> password and all of his data and files are encrypted using this key.
>> Since the password is not kept clear on the database, I face a problem
>> where the user forgets his password. So it means that if we reset the
>> password we cannot decrypt his files anymore.
>> My solution to this problem was generating a certifcate at the
>> registration time that contains the encrypted password (using the
>> server's key), and ask them to save it. So when he clicks on "forgot
>> password " link, the server asks him to provide the certificate. After
>> verify the certificate, an email with a link for reseting the password
>> or an sms for a secret code will be sent to the user to verfy that
>> s/he is the legitimate user or not!
>> However, I'm not sure about the security of such solution! I was
>> wondering whether you have any better ideas or any feedback over my
>> This list is sponsored by Cenzic
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
[ reply ]
Copyright 2010, SecurityFocus