Project

General

Profile

Actions

Feature #20382

closed

Implement RSA authentication for BE and FE

Added by Dmitry Dulepov over 15 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2009-04-30
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

Problem: currently Backend and Frontend login procedures are not secure enough. The Backend sends a md5-hashed password and the Frontend sends a plain text password. Both ways allows to capture and reuse password by an attacker.

Solution: RSA authentication uses private/public key method to encode the password using public key on the client side (browser) and decode the password on the server using private key. The proposed patch adds this authentication method to TYPO3 through a specially developed authentication service. The service will create a pair of keys for each login attempt. Thus brute forcing does not make sense. Private key is stored in two places (separated in two parts), which makes it hard for the attacker to get the key. Also keys expires in 30 minutes, so the login is not possible using old keys. The service requires either openssl PHP extension, or the openssl binary. It does not "hack" TYPO3 in any way, it uses fully official way to integrate into the TYPO3 authentication chain.

Notes:
- the core had "superchallenged" method hard–coded. The first patch removes this code and places it to the "sv" extension, where it logically belongs
- the first patch makes it possible to implement any additional login method (for example, using certificates)
- the first patch also patches "felogin" to use RSA authentication automatically if enabled in the Install tool
- ajax login box does not work with RSA. I will re–factor it later, before the release of 4.3. It will use the same hooks thus making any authentication method possible
- to test the authentication you must do the following in sequence:
- apply the first patch to the core
- apply the second patch to add the "rsaauth" extension –OR– instal the extension using a supplied T3X file
- go to the Install tool and set [BE][loginSecurityLevel] to "rsa" (without quotes). This must be the very last step you do!
- the code was mostly reviewed by Ingmar (v4) and Andi (v5, security stuff). Only the core patch was changed after the review
- if you want to try FE authentication with RSA, set [FE][loginSecurityLevel] to "rsa"
- !!!***!!! if you want to stop using RSA authentication, the very first step must be removing "rsa" from the "loginSecurityLevel"! If you forget it and uninstall the extension before touching the Install tool, you will not be able to login to BE/FE anymore until you fix the Install tool settings!

(issue imported from #M11016)


Files

01_rsa_core.diff (21.7 KB) 01_rsa_core.diff Administrator Admin, 2009-04-30 17:30
02_rsaauth_sysext.diff (113 KB) 02_rsaauth_sysext.diff Administrator Admin, 2009-04-30 17:31
T3X_rsaauth-0_0_0-z-200904301832.t3x (84.5 KB) T3X_rsaauth-0_0_0-z-200904301832.t3x Administrator Admin, 2009-04-30 17:33

Related issues 4 (0 open4 closed)

Related to TYPO3 Core - Bug #21250: Cannot login after upgrade to TYPO3 4.3 due to missing authentication methodClosed2009-10-12

Actions
Related to TYPO3 Core - Bug #17987: Integration of fe_users password encryptionClosedChris topher2008-01-13

Actions
Related to TYPO3 Core - Feature #30271: Refactor login services to separate password transmission and password compareClosedHelmut Hummel2011-09-25

Actions
Related to TYPO3 Core - Bug #33759: AJAX login doesn't work with RSAauth and Salted passClosed2012-02-08

Actions
Actions

Also available in: Atom PDF