Metadata-Version: 1.1
Name: django-secure-js-login
Version: 0.2.0
Summary: JavaScript Challenge-handshake authentication django app
Home-page: https://github.com/jedie/django-secure-js-login
Author: Jens Diemer
Author-email: UNKNOWN
License: UNKNOWN
Description: ======================
        django-secure-js-login
        ======================
        
        JavaScript Challenge-handshake authentication django app.
        
        +-----------------------------------+------------------------------------------------+
        | |Build Status on travis-ci.org|   | `travis-ci.org/jedie/django-secure-js-login`_  |
        +-----------------------------------+------------------------------------------------+
        | |Coverage Status on coveralls.io| | `coveralls.io/r/jedie/django-secure-js-login`_ |
        +-----------------------------------+------------------------------------------------+
        
        .. |Build Status on travis-ci.org| image:: https://travis-ci.org/jedie/django-secure-js-login.svg
        .. _travis-ci.org/jedie/django-secure-js-login: https://travis-ci.org/jedie/django-secure-js-login/
        .. |Coverage Status on coveralls.io| image:: https://coveralls.io/repos/jedie/django-secure-js-login/badge.svg
        .. _coveralls.io/r/jedie/django-secure-js-login: https://coveralls.io/r/jedie/django-secure-js-login
        
        First:
        The Secure-JS-Login is not a simple *"send username + PBKDF2-SHA(password)"*
        It is more a `Challenge-handshake authentication protocol <http://en.wikipedia.org/wiki/Challenge-handshake_authentication_protocol>`_!
        
        TODO:
        
        * fix "next_url" and all links in example project
        
        --------------
        The procedure:
        --------------
        
        Save a new user password:
        -------------------------
        
        client browser / JavaScript part::
        
        #. user input a password
        
        #. ``init_pbkdf2_salt = SHA1(random data)``
        
        #. ``pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)``
        
        #. Client send **init_pbkdf2_salt** and **pbkdf2_hash** to the server
        
        Server part:
        
        #. Server split **pbkdf2_hash** into: **first_pbkdf2_part** and **second_pbkdf2_part**
        
        #. ``encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)``
        
        #. Save only **encrypted_part** and given **init_pbkdf2_salt** from client
        
        Login - client browser / JavaScript part:
        -----------------------------------------
        
        #. Use request login
        
        #. server send html login form with a random **server_challenge** value
        
        #. User enters his **username** and **password**
        
        #. Ajax Request the **init_pbkdf2_salt** from server with the given **username**
        
        #. generate the auth data:
        
            #. ``pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)``
        
            #. split **pbkdf2_temp_hash** into **first_pbkdf2_part** and **second_pbkdf2_part**
        
            #. ``cnonce = SHA1(random data)``
        
            #. ``pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)``
        
        #. send **pbkdf2_hash**, **second_pbkdf2_part** and **cnonce** to the server
        
        validation on the server
        ------------------------
        
        #. client POST data: **pbkdf2_hash**, **second_pbkdf2_part** and **cnonce**
        
        #. get transmitted **server_challenge** value from session
        
        #. get **encrypted_part** and **salt** from database via given **username**
        
        #. ``first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)``
        
        #. ``test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)``
        
        #. compare **test_hash** with transmitted **pbkdf2_hash**
        
        secure?
        =======
        
        Secure-JS-Login is not really secure in comparison to https! e.g. the client can't validate if he really communicate with the server or with a `Man-in-the-middle attack <https://en.wikipedia.org/wiki/Man-in-the-middle_attack>`_.
        
        However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.
        
        If you have `https <http://en.wikipedia.org/wiki/HTTPS>`_, you can combine it with Secure-JS-Login, similar to combine a digest auth with https.
        
        More information: `Warum Secure-JS-Login Sinn macht... <http://www.pylucid.org/permalink/35/warum-js-sha-login-sinn-macht>`_ (german only, sorry)
        
        why?
        ====
        
        Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in **plaintext** over the Internet. A reliable solution offers only `https`_.
        
        The Problem: No Provider offers secured HTTP connection for little money :(
        
        alternative solutions
        =====================
        
        * `Digest access authentication <http://en.wikipedia.org/wiki/Digest_access_authentication>`_ (implementation in django exist: `django-digest <http://bitbucket.org/akoha/django-digest/wiki/Home>`_):
        
            * pro
        
                * Browser implemented it, so no additional JavaScript needed
        
            * cons
        
                * Password hash must be saved on the server, without any salt! The hash can be used for login, because: ``hash = MD5(username:realm:password)``
        
                * used old MD5 hash
        
        ------
        tryout
        ------
        
        e.g.:
        
        ::
        
            ~ $ virtualenv secure-js-login-env
            ~ $ cd secure-js-login-env
            ~/secure-js-login-env $ source bin/activate
            
            # install secure-js-login as "editable" to have access to example project server and unittests:
            
            (secure-js-login-env)~/secure-js-login-env $ pip install -e git+git://github.com/jedie/django-secure-js-login.git#egg=django-secure-js-login
            
            run example project server:
            {{{
            (secure-js-login-env)~/secure-js-login-env $ cd src/django-secure-js-login/
            (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./run_example_server.sh
        
        run inittests:
        
        ::
        
            (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py
        
        to run the Live-Server-Tests, install `selenium <https://pypi.python.org/pypi/selenium>`_ e.g.:
        
        ::
        
            (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ pip install selenium
            (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py
        
        ---------------------
        Version compatibility
        ---------------------
        
        +-----------------+------------+------------+
        | secure-js-login | Django     | Python     |
        +=================+============+============+
        | >=v0.1.0        | v1.7, v1.8 | v2.7, v3.4 |
        +-----------------+------------+------------+
        
        (These are the unittests variants. Maybe other versions are compatible, too.)
        
        ---------
        changelog
        ---------
        
        * v0.2.0 - 10.05.2015:
        
            * increase default PBKDF2 iteration after test on a Raspberry Pi 1
        
            * more unitests
        
            * Honypot login raise "normal" form errors
        
            * code cleanup
        
            * Docu update
        
        * v0.1.0 - 06.05.2015:
        
            * initial release as reuseable app
        
            * Use PBKDF2
        
        * 03.05.2015:
        
            * Split from `PyLucid CMS 'auth' plugin <https://github.com/jedie/PyLucid/tree/7ee6f8312e7ade65ff3604eb9eab810c26c43ccb/pylucid_project/pylucid_plugins/auth>`_
        
        * 03.2010:
        
            * `Use ajax request via jQuery <http://www.python-forum.de/viewtopic.php?p=163746#p163746>`_ (de)
        
        * 11.07.2007:
        
            * `New SHA challenge response procedure <http://www.python-forum.de/viewtopic.php?p=72926#p72926>`_ (de)
        
        * 01.06.2005:
        
            * `first implementation of a MD5 login in PyLucid <http://www.python-forum.de/viewtopic.php?f=5&t=3345>`_ (de)
        
        ----------
        info links
        ----------
        
        * Python-Forum Threads (de):
        
            * `Digest auth als Alternative? <http://www.python-forum.de/viewtopic.php?f=7&t=22163>`_ (03.2010)
        
            * `Sinn oder Unsinn des PyLucids Secure-JS-Login... <http://www.python-forum.de/viewtopic.php?f=3&t=8180>`_ (12.2006)
        
            * `Wie Session-Hijacking verhindern? <http://www.python-forum.de/topic-8182.html>`_ (12.2006)
        
        * `Diskussion auf de.comp.lang.python <https://groups.google.com/forum/#!topic/de.comp.lang.python/jAbfc26Bg_k>`_ (08.2006)
        
        -------------
        project links
        -------------
        
        +-----------------+--------------------------------------------------------+
        | Github          | `http://github.com/jedie/django-secure-js-login`_      |
        +-----------------+--------------------------------------------------------+
        | Python Packages | `http://pypi.python.org/pypi/django-secure-js-login/`_ |
        +-----------------+--------------------------------------------------------+
        | Travis CI       | `https://travis-ci.org/jedie/django-secure-js-login/`_ |
        +-----------------+--------------------------------------------------------+
        
        .. _http://github.com/jedie/django-secure-js-login: http://github.com/jedie/django-secure-js-login
        .. _http://pypi.python.org/pypi/django-secure-js-login/: http://pypi.python.org/pypi/django-secure-js-login/
        .. _https://travis-ci.org/jedie/django-secure-js-login/: https://travis-ci.org/jedie/django-secure-js-login/
        
        -------------------------------
        Used JavaScript Implementations
        -------------------------------
        
        * SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1
        
            * `http://pajhome.org.uk/crypt/md5/sha1.html <http://pajhome.org.uk/crypt/md5/sha1.html>`_
        
            * Implemented by Paul Johnston
        
            * Distributed under the BSD License
        
            * Stored under: `secure_js_login/static/secure_js_login/sha.js <https://github.com/jedie/django-secure-js-login/blob/master/secure_js_login/static/secure_js_login/sha.js>`_
        
        * PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898
        
            * `http://anandam.name/pbkdf2/ <http://anandam.name/pbkdf2/>`_
        
            * Implemented by Parvez Anandam
        
            * Distributed under the BSD license
        
            * Stored under: `secure_js_login/static/secure_js_login/pbkdf2.js <https://github.com/jedie/django-secure-js-login/blob/master/secure_js_login/static/secure_js_login/pbkdf2.js>`_
        
        -------
        contact
        -------
        
        Come into the conversation, besides the github communication features:
        
        +---------+--------------------------------------------------------+
        | IRC     | #pylucid on freenode.net (Yes, the PyLucid channel...) |
        +---------+--------------------------------------------------------+
        | webchat | `https://webchat.freenode.net/?channels=pylucid`_      |
        +---------+--------------------------------------------------------+
        
        .. _https://webchat.freenode.net/?channels=pylucid: https://webchat.freenode.net/?channels=pylucid
Platform: UNKNOWN
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU General Public License (GPL)
Classifier: Programming Language :: Python
Classifier: Programming Language :: JavaScript
Classifier: Framework :: Django
Classifier: Topic :: Database :: Front-Ends
Classifier: Topic :: Documentation
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Internet :: WWW/HTTP :: Site Management
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
Classifier: Operating System :: OS Independent
