forked from mozilla-services/pyramid_srpauth
Mozilla-GitHub-Standards/745e0569b437c46f5652b8c25e561bdf5cc5ee50ced0c520cd8907fb2c98b6a9
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
pyramid_srpauth =============== This is an authentication policy for __pyramid__ that verifies credentials using the HTTP-SRP-HMAC-Auth protocol. Never heard of it? That's because it's not a standard protocol. It's quite similar to the standard HTTP-Digest-Auth protocol: http://tools.ietf.org/html/rfc2617 But it uses the Secure Remote Password Protocol so that compromising the server database does not immediately compromise everyone's credentials: http://srp.stanford.edu/ http://www.ietf.org/rfc/rfc2945.txt The details of the protocol are based on a draft spec from Robert Sayre: https://bug356855.bugzilla.mozilla.org/attachment.cgi?id=269128 However, the following changes have been made to enhance security: * calculate x according to TLS-SRP (RFC-5054) rather than trying to use an existing database of password hashes. This will discourage people from using SRP as a symmetric protocol and unwittingly decreasing its security. * use a nonce-count as per RFC-2617, to help prevent replay attacks. * send the public key values in the Authorization header, not as separate headers.
About
No description, website, or topics provided.
Resources
Code of conduct
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- Python 100.0%