Web Application Security
oauth token authentication Aug 12 2013 03:03PM
saghar estehghari (s estehghari gmail com)

On a cloud project that i'm currently working, we authenticate the
clients by password and get access to their keys using their password
(using a PBKDF2 function).

However, we want to provide the user with another option which is
authenticating with an oath token. So the problem that I'm facing
right know is that if the user doesn't type a password then I can't
access his key. As the passwords are saved hash-salted in the DB. I
know that we can add some parameters to the token (e.g. adding the
encrypted password for accesing the key) , but it seems to me
insecure, as the tokens are vulnerable to replay attacks (and it
possible that expiration date would be long)!

So I was wondering whether any of you had faced the similar problem
and could help me with your ideas :)

Thanks for your time


This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus