Secure authentication using JavaScript

Register new user

User registration sends the user's password hash (a SHA-512 HMAC of the user id and password) encrypted with a 1024-bit RSA key. The servlet decrypts the password hash before storing it.

Userid:

Password:

Confirm:

Login

User authentication transmits a doubly hashed password value. First the user id and password are SHA-512 HMAC hashed to produce the password hash as stored on the server.

Since this data is password equivalent it cannot be transferred unprotected. Therefore the servlet has provided a salt that can be used to SHA-512 HMAC this password hash once more.

The servlet then reproduces this salted hash to compare the submitted password hash with the stored entry.

Userid:

Password:

Validate session

This button displays the stored login information.

To Do:

  1. Find a better HMAC key than the user name. The recommendation is for the key to be of equal length as the hash, and to be protected. This is tricky since the key must be available on the client.
  2. Find a better HMAC key to use as the one-time salt when submitting the password. Ideally this should be a one-time key, but it needs to be shared with only one user. The browser's session object might be suitable.
  3. More validation on the client side:
    • Verify that JavaScript is enabled and working before accepting passwords. Provide feedback in form of icons etc.
    • Provide some feedback since RSA takes some time. Spinner or similar.