« Back Issue #233
  • 2014-04-13 01:15 Reported by akash3664
  • 2014-05-27 08:57 Marked fixed
Status: Marked fixed
Priority: Low

Zero knowledge password authentication system

akash3664 2014-04-13 01:15

I have yet to implement different public key for each user and few small things but i have uploaded the patch so we can start our patch iteration. I am learning about AJAX call.

akash3664 2014-05-15 02:49

Hello Dr.Pollett,

I have created new patch.

Regards, Akash

administrator 2014-05-16 23:24

After applying your patch, I got the following error when I try to sign into Yioop:

NOTICE: Undefined index: x1 in AdminController->checkSignin, line 226 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php

 called from AdminController->processRequest, line 131 in /Applications/MAMP/htdocs/git/yioop/index.php 

NOTICE: Undefined index: y1 in AdminController->checkSignin, line 227 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php

 called from AdminController->processRequest, line 131 in /Applications/MAMP/htdocs/git/yioop/index.php 

NOTICE: Undefined index: SALT_VALUE in AdminController->checkSignin, line 228 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php

 called from AdminController->processRequest, line 131 in /Applications/MAMP/htdocs/git/yioop/index.php 

Fatal error: Call to a member function execute() on a non-object in /Applications/MAMP/htdocs/git/yioop/models/datasources/pdo_manager.php on line 110

akash3664 2014-05-16 23:42

Strange. Let me check once again.

akash3664 2014-05-17 00:25

Hello Dr.Pollett,

From the error it seems that admin contorller is calling checkValidSigninForZKP method insted of checkValidSignin. The possible reason for error is:

1. profile.php file in user's work directory is having some problem. It should have line: define('AUTHENTICATION_MODE', "1");. If it is not there can you please add this line and check that do you still having same error?

After applying patch, I have created new work directory and run createDB.php and I did not get any error. My strong suspicion is that something is wrong with profile.php

Regards, Akash

administrator 2014-05-19 17:55

Hey Akash,

I am sorta worried about your code. It looks like it reloads the signin page multiple times. You should instead do the entire handshake process (all rounds) via a sequence of AJAX request, never reloading the whole page. You can use JSON data rather than XML if you prefer. I am concerned about the security of your current set up as well as the cookie data is of course coming from the server. I am backing out stuff for now.

Best, Chris

akash3664 2014-05-21 04:54

Hello Dr.Pollett,

I have created new patch which has AJAX calls.

1. While creating patch, there were so many changes in locale/en-US/configure.ini so I have removed my changes in that file so you need to add below lines in that file:

;

system_component.php line
615

serversettings_element_normal_authentication = "Normal Authentication" ;

system_component.php line
617

serversettings_element_zkp_authentication = "ZKP Authentication"

2. After applying patch, please remove the previous cookies and catch data and run createDB.php

3. Also in order to test the code after applying patch you might need to add below line in your profile.php of work directory define('AUTHENTICATION_MODE', "1");

Kindly let me know in case of any concerns.

Regards, Akash

administrator 2014-05-21 12:06

Hey Akash,

In checkValidSigninForZKP you have the value n hardcoded. How did you compute this n? Since you know p and q and nobody else does. Why would anyone what to use this? It would be much better if this number varies from yioop instance to yioop instance. Maybe generate p and q based off of AUTH_KEY and use this for n

Chris

akash3664 2014-05-21 12:43

Hello Dr.Pollett,

One concerns is that the key N should be greater than sha1 of the user password. can we use fixed set of large prime numbers and randomly selects two of those prime numbers and derive N for each login instance?

Regards, Akash

administrator 2014-05-23 20:52

I am going through your code trying to avoid backing it out again. In zkp.js in the function getR() what is the magic number 21474?

akash3664 2014-05-23 21:05

nothing special..I will change the number. I just need to generate the random number

akash3664 2014-05-23 21:23

Hello Dr.Pollett,

May be we can use ((Math.random() * 1e6) | 0) this to generate the random number. Also I found one additional semicolon after r = r.toString();; So I will remove that also.

-Akash

administrator 2014-05-23 21:48

The r value in Fiat Shamir needs to be chosen uniformly at random from Z_n^*. Both your choices will in general be from too small a subspace. I am also pretty sure we should not use Math.random(), but instead a better random number generator.

What was the basis of your big int code? The formatting is different from all your other code and the coding in BigInt divide is largely unreadable.

akash3664 2014-05-23 23:36

Hello Dr.Pollett,

Yes we can write proper random generator to generate large random number. I will think on that.

Source of the BigInt code is Leemon Baird big integer library and also bit understanding of jsbn big number library. I will rewrite the division method and make it modular is so it can be more understandable.

Are you available any time tomorrow to have small talk on phone? I have some doubt regarding random number generator and sorry that I would not be able to come to meet you in person.

Regards, Akash

administrator 2014-05-24 01:50

Akash,

I have now completely gone through your code and made modifications. I have push your code to the repository now. Congratulations! What's left is for you to write me a patch where r is correctly generated. Also, you should clean up the big number code.

Best, Chris

akash3664 2014-05-24 04:07

Hello Dr.Pollett,

Thanks you. I will try to complete it in this week.

Regards, Akash

administrator 2014-05-27 08:57

Fixed by 9546082

akash3664 2014-05-27 08:57
X