I have yet to implement different public key for each user and few small things but i have uploaded the patch so we can start our patch iteration. I am learning about AJAX call.
akash36642014-05-15 02:49
Hello Dr.Pollett,
I have created new patch.
Regards,
Akash
administrator2014-05-16 23:24
After applying your patch, I got the following error when I try to sign into Yioop:
NOTICE: Undefined index: x1 in AdminController->checkSignin, line 226 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php
called from AdminController->processRequest, line 131 in /Applications/MAMP/htdocs/git/yioop/index.php
NOTICE: Undefined index: y1 in AdminController->checkSignin, line 227 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php
called from AdminController->processRequest, line 131 in /Applications/MAMP/htdocs/git/yioop/index.php
NOTICE: Undefined index: SALT_VALUE in AdminController->checkSignin, line 228 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php
called from AdminController->processRequest, line 131 in /Applications/MAMP/htdocs/git/yioop/index.php
Fatal error: Call to a member function execute() on a non-object in /Applications/MAMP/htdocs/git/yioop/models/datasources/pdo_manager.php on line 110
akash36642014-05-16 23:42
Strange. Let me check once again.
akash36642014-05-17 00:25
Hello Dr.Pollett,
From the error it seems that admin contorller is calling checkValidSigninForZKP method insted of checkValidSignin. The possible reason for error is:
1. profile.php file in user's work directory is having some problem. It should have line: define('AUTHENTICATION_MODE', "1");. If it is not there can you please add this line and check that do you still having same error?
After applying patch, I have created new work directory and run createDB.php and I did not get any error. My strong suspicion is that something is wrong with profile.php
Regards,
Akash
administrator2014-05-19 17:55
Hey Akash,
I am sorta worried about your code. It looks like it reloads the signin page multiple times. You should instead do the entire handshake process (all rounds) via a sequence of AJAX request, never reloading the whole page.
You can use JSON data rather than XML if you prefer. I am concerned about the security of your current set up as well as the cookie data is of course coming from the server. I am backing out stuff for now.
Best,
Chris
akash36642014-05-21 04:54
Hello Dr.Pollett,
I have created new patch which has AJAX calls.
1. While creating patch, there were so many changes in locale/en-US/configure.ini so I have removed my changes in that file so you need to add below lines in that file:
2. After applying patch, please remove the previous cookies and catch data and run createDB.php
3. Also in order to test the code after applying patch you might need to add below line in your profile.php of work directory
define('AUTHENTICATION_MODE', "1");
Kindly let me know in case of any concerns.
Regards,
Akash
administrator2014-05-21 12:06
Hey Akash,
In checkValidSigninForZKP you have the value n hardcoded. How did you compute
this n? Since you know p and q and nobody else does. Why would anyone what to use this? It would be much better if this
number varies from yioop instance to yioop instance. Maybe generate p and q based off of AUTH_KEY and use this for n
Chris
akash36642014-05-21 12:43
Hello Dr.Pollett,
One concerns is that the key N should be greater than sha1 of the user password. can we use fixed set of large prime numbers and randomly selects two of those prime numbers and derive N for each login instance?
Regards,
Akash
administrator2014-05-23 20:52
I am going through your code trying to avoid backing it out again.
In zkp.js in the function getR() what is the magic number 21474?
akash36642014-05-23 21:05
nothing special..I will change the number. I just need to generate the random number
akash36642014-05-23 21:23
Hello Dr.Pollett,
May be we can use ((Math.random() * 1e6) | 0) this to generate the random number. Also I found one additional semicolon after r = r.toString();; So I will remove that also.
-Akash
administrator2014-05-23 21:48
The r value in Fiat Shamir needs to be chosen uniformly at random from Z_n^*. Both your choices will in general be from too small a subspace. I am also pretty sure we should not use Math.random(), but instead a better random number generator.
What was the basis of your big int code? The formatting is different from all your other code and the coding in BigInt divide is largely unreadable.
akash36642014-05-23 23:36
Hello Dr.Pollett,
Yes we can write proper random generator to generate large random number. I will think on that.
Source of the BigInt code is Leemon Baird big integer library and also bit understanding of jsbn big number library. I will rewrite the division method and make it modular is so it can be more understandable.
Are you available any time tomorrow to have small talk on phone? I have some doubt regarding random number generator and sorry that I would not be able to come to meet you in person.
Regards,
Akash
administrator2014-05-24 01:50
Akash,
I have now completely gone through your code and made modifications. I have push your code to the repository now. Congratulations! What's left is for you to write me a patch where r is correctly generated. Also, you should clean up the big number code.
Best,
Chris
akash36642014-05-24 04:07
Hello Dr.Pollett,
Thanks you. I will try to complete it in this week.
I have yet to implement different public key for each user and few small things but i have uploaded the patch so we can start our patch iteration. I am learning about AJAX call.
Hello Dr.Pollett,
I have created new patch.
Regards, Akash
After applying your patch, I got the following error when I try to sign into Yioop:
NOTICE: Undefined index: x1 in AdminController->checkSignin, line 226 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php
NOTICE: Undefined index: y1 in AdminController->checkSignin, line 227 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php
NOTICE: Undefined index: SALT_VALUE in AdminController->checkSignin, line 228 in /Applications/MAMP/htdocs/git/yioop/controllers/admin_controller.php
Fatal error: Call to a member function execute() on a non-object in /Applications/MAMP/htdocs/git/yioop/models/datasources/pdo_manager.php on line 110
Strange. Let me check once again.
Hello Dr.Pollett,
From the error it seems that admin contorller is calling checkValidSigninForZKP method insted of checkValidSignin. The possible reason for error is:
1. profile.php file in user's work directory is having some problem. It should have line: define('AUTHENTICATION_MODE', "1");. If it is not there can you please add this line and check that do you still having same error?
After applying patch, I have created new work directory and run createDB.php and I did not get any error. My strong suspicion is that something is wrong with profile.php
Regards, Akash
Hey Akash,
I am sorta worried about your code. It looks like it reloads the signin page multiple times. You should instead do the entire handshake process (all rounds) via a sequence of AJAX request, never reloading the whole page. You can use JSON data rather than XML if you prefer. I am concerned about the security of your current set up as well as the cookie data is of course coming from the server. I am backing out stuff for now.
Best, Chris
Hello Dr.Pollett,
I have created new patch which has AJAX calls.
1. While creating patch, there were so many changes in locale/en-US/configure.ini so I have removed my changes in that file so you need to add below lines in that file:
;
serversettings_element_normal_authentication = "Normal Authentication" ;
serversettings_element_zkp_authentication = "ZKP Authentication"
2. After applying patch, please remove the previous cookies and catch data and run createDB.php
3. Also in order to test the code after applying patch you might need to add below line in your profile.php of work directory define('AUTHENTICATION_MODE', "1");
Kindly let me know in case of any concerns.
Regards, Akash
Hey Akash,
In checkValidSigninForZKP you have the value n hardcoded. How did you compute this n? Since you know p and q and nobody else does. Why would anyone what to use this? It would be much better if this number varies from yioop instance to yioop instance. Maybe generate p and q based off of AUTH_KEY and use this for n
Chris
Hello Dr.Pollett,
One concerns is that the key N should be greater than sha1 of the user password. can we use fixed set of large prime numbers and randomly selects two of those prime numbers and derive N for each login instance?
Regards, Akash
I am going through your code trying to avoid backing it out again. In zkp.js in the function getR() what is the magic number 21474?
nothing special..I will change the number. I just need to generate the random number
Hello Dr.Pollett,
May be we can use ((Math.random() * 1e6) | 0) this to generate the random number. Also I found one additional semicolon after r = r.toString();; So I will remove that also.
-Akash
The r value in Fiat Shamir needs to be chosen uniformly at random from Z_n^*. Both your choices will in general be from too small a subspace. I am also pretty sure we should not use Math.random(), but instead a better random number generator.
What was the basis of your big int code? The formatting is different from all your other code and the coding in BigInt divide is largely unreadable.
Hello Dr.Pollett,
Yes we can write proper random generator to generate large random number. I will think on that.
Source of the BigInt code is Leemon Baird big integer library and also bit understanding of jsbn big number library. I will rewrite the division method and make it modular is so it can be more understandable.
Are you available any time tomorrow to have small talk on phone? I have some doubt regarding random number generator and sorry that I would not be able to come to meet you in person.
Regards, Akash
Akash,
I have now completely gone through your code and made modifications. I have push your code to the repository now. Congratulations! What's left is for you to write me a patch where r is correctly generated. Also, you should clean up the big number code.
Best, Chris
Hello Dr.Pollett,
Thanks you. I will try to complete it in this week.
Regards, Akash
Fixed by 9546082
Attachments:
my.patch
my2.patch
my3.patch
my4.patch
my5.patch
my6.patch