{ "info": { "author": "Jens Diemer", "author_email": "UNKNOWN", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Web Environment", "Framework :: Django", "Intended Audience :: Developers", "License :: OSI Approved :: GNU General Public License (GPL)", "Operating System :: OS Independent", "Programming Language :: JavaScript", "Programming Language :: Python", "Topic :: Database :: Front-Ends", "Topic :: Documentation", "Topic :: Internet :: WWW/HTTP :: Dynamic Content", "Topic :: Internet :: WWW/HTTP :: Site Management", "Topic :: Internet :: WWW/HTTP :: WSGI :: Application" ], "description": "======================\ndjango-secure-js-login\n======================\n\nJavaScript Challenge-handshake authentication django app.\n\n+-----------------------------------+------------------------------------------------+\n| |Build Status on travis-ci.org| | `travis-ci.org/jedie/django-secure-js-login`_ |\n+-----------------------------------+------------------------------------------------+\n| |Coverage Status on coveralls.io| | `coveralls.io/r/jedie/django-secure-js-login`_ |\n+-----------------------------------+------------------------------------------------+\n\n.. |Build Status on travis-ci.org| image:: https://travis-ci.org/jedie/django-secure-js-login.svg\n.. _travis-ci.org/jedie/django-secure-js-login: https://travis-ci.org/jedie/django-secure-js-login/\n.. |Coverage Status on coveralls.io| image:: https://coveralls.io/repos/jedie/django-secure-js-login/badge.svg\n.. _coveralls.io/r/jedie/django-secure-js-login: https://coveralls.io/r/jedie/django-secure-js-login\n\nFirst:\nThe Secure-JS-Login is not a simple *\"send username + PBKDF2-SHA(password)\"*\nIt is more a `Challenge-handshake authentication protocol `_!\n\nTODO:\n\n* fix \"next_url\" and all links in example project\n\n--------------\nThe procedure:\n--------------\n\nSave a new user password:\n-------------------------\n\nclient browser / JavaScript part::\n\n#. user input a password\n\n#. ``init_pbkdf2_salt = SHA1(random data)``\n\n#. ``pbkdf2_hash = pbkdf2(\"Plain Password\", salt=init_pbkdf2_salt)``\n\n#. Client send **init_pbkdf2_salt** and **pbkdf2_hash** to the server\n\nServer part:\n\n#. Server split **pbkdf2_hash** into: **first_pbkdf2_part** and **second_pbkdf2_part**\n\n#. ``encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)``\n\n#. Save only **encrypted_part** and given **init_pbkdf2_salt** from client\n\nLogin - client browser / JavaScript part:\n-----------------------------------------\n\n#. Use request login\n\n#. server send html login form with a random **server_challenge** value\n\n#. User enters his **username** and **password**\n\n#. Ajax Request the **init_pbkdf2_salt** from server with the given **username**\n\n#. generate the auth data:\n\n #. ``pbkdf2_temp_hash = pbkdf2(\"Plain Password\", init_pbkdf2_salt)``\n\n #. split **pbkdf2_temp_hash** into **first_pbkdf2_part** and **second_pbkdf2_part**\n\n #. ``cnonce = SHA1(random data)``\n\n #. ``pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)``\n\n#. send **pbkdf2_hash**, **second_pbkdf2_part** and **cnonce** to the server\n\nvalidation on the server\n------------------------\n\n#. client POST data: **pbkdf2_hash**, **second_pbkdf2_part** and **cnonce**\n\n#. get transmitted **server_challenge** value from session\n\n#. get **encrypted_part** and **salt** from database via given **username**\n\n#. ``first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)``\n\n#. ``test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)``\n\n#. compare **test_hash** with transmitted **pbkdf2_hash**\n\nsecure?\n=======\n\nSecure-JS-Login is not really secure in comparison to https! e.g. the client can't validate if he really communicate with the server or with a `Man-in-the-middle attack `_.\n\nHowever the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.\n\nIf you have `https `_, you can combine it with Secure-JS-Login, similar to combine a digest auth with https.\n\nMore information: `Warum Secure-JS-Login Sinn macht... `_ (german only, sorry)\n\nwhy?\n====\n\nMany, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in **plaintext** over the Internet. A reliable solution offers only `https`_.\n\nThe Problem: No Provider offers secured HTTP connection for little money :(\n\nalternative solutions\n=====================\n\n* `Digest access authentication `_ (implementation in django exist: `django-digest `_):\n\n * pro\n\n * Browser implemented it, so no additional JavaScript needed\n\n * cons\n\n * Password hash must be saved on the server, without any salt! The hash can be used for login, because: ``hash = MD5(username:realm:password)``\n\n * used old MD5 hash\n\n------\ntryout\n------\n\ne.g.:\n\n::\n\n ~ $ virtualenv secure-js-login-env\n ~ $ cd secure-js-login-env\n ~/secure-js-login-env $ source bin/activate\n \n # install secure-js-login as \"editable\" to have access to example project server and unittests:\n \n (secure-js-login-env)~/secure-js-login-env $ pip install -e git+git://github.com/jedie/django-secure-js-login.git#egg=django-secure-js-login\n \n run example project server:\n {{{\n (secure-js-login-env)~/secure-js-login-env $ cd src/django-secure-js-login/\n (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./run_example_server.sh\n\nrun inittests:\n\n::\n\n (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py\n\nto run the Live-Server-Tests, install `selenium `_ e.g.:\n\n::\n\n (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ pip install selenium\n (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py\n\n---------------------\nVersion compatibility\n---------------------\n\n+-----------------+------------+------------+\n| secure-js-login | Django | Python |\n+=================+============+============+\n| >=v0.1.0 | v1.7, v1.8 | v2.7, v3.4 |\n+-----------------+------------+------------+\n\n(These are the unittests variants. Maybe other versions are compatible, too.)\n\n---------\nchangelog\n---------\n\n* v0.2.0 - 10.05.2015:\n\n * increase default PBKDF2 iteration after test on a Raspberry Pi 1\n\n * more unitests\n\n * Honypot login raise \"normal\" form errors\n\n * code cleanup\n\n * Docu update\n\n* v0.1.0 - 06.05.2015:\n\n * initial release as reuseable app\n\n * Use PBKDF2\n\n* 03.05.2015:\n\n * Split from `PyLucid CMS 'auth' plugin `_\n\n* 03.2010:\n\n * `Use ajax request via jQuery `_ (de)\n\n* 11.07.2007:\n\n * `New SHA challenge response procedure `_ (de)\n\n* 01.06.2005:\n\n * `first implementation of a MD5 login in PyLucid `_ (de)\n\n----------\ninfo links\n----------\n\n* Python-Forum Threads (de):\n\n * `Digest auth als Alternative? `_ (03.2010)\n\n * `Sinn oder Unsinn des PyLucids Secure-JS-Login... `_ (12.2006)\n\n * `Wie Session-Hijacking verhindern? `_ (12.2006)\n\n* `Diskussion auf de.comp.lang.python `_ (08.2006)\n\n-------------\nproject links\n-------------\n\n+-----------------+--------------------------------------------------------+\n| Github | `http://github.com/jedie/django-secure-js-login`_ |\n+-----------------+--------------------------------------------------------+\n| Python Packages | `http://pypi.python.org/pypi/django-secure-js-login/`_ |\n+-----------------+--------------------------------------------------------+\n| Travis CI | `https://travis-ci.org/jedie/django-secure-js-login/`_ |\n+-----------------+--------------------------------------------------------+\n\n.. _http://github.com/jedie/django-secure-js-login: http://github.com/jedie/django-secure-js-login\n.. _http://pypi.python.org/pypi/django-secure-js-login/: http://pypi.python.org/pypi/django-secure-js-login/\n.. _https://travis-ci.org/jedie/django-secure-js-login/: https://travis-ci.org/jedie/django-secure-js-login/\n\n-------------------------------\nUsed JavaScript Implementations\n-------------------------------\n\n* SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1\n\n * `http://pajhome.org.uk/crypt/md5/sha1.html `_\n\n * Implemented by Paul Johnston\n\n * Distributed under the BSD License\n\n * Stored under: `secure_js_login/static/secure_js_login/sha.js `_\n\n* PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898\n\n * `http://anandam.name/pbkdf2/ `_\n\n * Implemented by Parvez Anandam\n\n * Distributed under the BSD license\n\n * Stored under: `secure_js_login/static/secure_js_login/pbkdf2.js `_\n\n-------\ncontact\n-------\n\nCome into the conversation, besides the github communication features:\n\n+---------+--------------------------------------------------------+\n| IRC | #pylucid on freenode.net (Yes, the PyLucid channel...) |\n+---------+--------------------------------------------------------+\n| webchat | `https://webchat.freenode.net/?channels=pylucid`_ |\n+---------+--------------------------------------------------------+\n\n.. _https://webchat.freenode.net/?channels=pylucid: https://webchat.freenode.net/?channels=pylucid", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/jedie/django-secure-js-login", "keywords": null, "license": "UNKNOWN", "maintainer": null, "maintainer_email": null, "name": "django-secure-js-login", "package_url": "https://pypi.org/project/django-secure-js-login/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/django-secure-js-login/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://github.com/jedie/django-secure-js-login" }, "release_url": "https://pypi.org/project/django-secure-js-login/0.2.0/", "requires_dist": null, "requires_python": null, "summary": "JavaScript Challenge-handshake authentication django app", "version": "0.2.0" }, "last_serial": 1650544, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "cb727b8af834fed65c8c3f0a1d2c7789", "sha256": "99ddcb8644aeb95485e90637a2e8e416cd858bd63bbb8596ddd83c705f3c8e7d" }, "downloads": -1, "filename": "django_secure_js_login-0.1.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "cb727b8af834fed65c8c3f0a1d2c7789", "packagetype": "bdist_wheel", "python_version": "3.4", "requires_python": null, "size": 67803, "upload_time": "2015-05-06T16:18:33", "url": "https://files.pythonhosted.org/packages/cf/ce/85a4a33f6d404f74dabae76fce04e334bdc61b3c953d823db47607520be2/django_secure_js_login-0.1.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "030fb7152ab70a33e3690fac423fad22", "sha256": "426cc49d29b9f070c59b99cd587bc3ec15325972efc98eb8b1ac625cf37bd3db" }, "downloads": -1, "filename": "django-secure-js-login-0.1.0.tar.gz", "has_sig": false, "md5_digest": "030fb7152ab70a33e3690fac423fad22", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 211197, "upload_time": "2015-05-06T16:18:29", "url": "https://files.pythonhosted.org/packages/51/d9/f9d73ce87e88d6aca5bfdc5a12ab20ddddb91439a97849f9dbc9db2de5e8/django-secure-js-login-0.1.0.tar.gz" } ], "0.2.0": [ { "comment_text": "", "digests": { "md5": "04d0d7cbb0c115ea10ca6168eab97e9d", "sha256": "09c44c80bc01edbd73346b7bee8b9780a20a0c9f80fa708f46903c785394f9cc" }, "downloads": -1, "filename": "django_secure_js_login-0.2.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "04d0d7cbb0c115ea10ca6168eab97e9d", "packagetype": "bdist_wheel", "python_version": "3.4", "requires_python": null, "size": 72583, "upload_time": "2015-05-09T23:42:21", "url": "https://files.pythonhosted.org/packages/71/34/e0ec3ec53c83a148cb71cf48da19dd711841b53e09d9139a99ee33542261/django_secure_js_login-0.2.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "00d441c179d68f41616c1491ce812adc", "sha256": "689cf5343b824f63c1e78b61283c578cbcedce6e0b7e3e4477146ff719878634" }, "downloads": -1, "filename": "django-secure-js-login-0.2.0.tar.gz", "has_sig": false, "md5_digest": "00d441c179d68f41616c1491ce812adc", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 43177, "upload_time": "2015-05-09T23:42:17", "url": "https://files.pythonhosted.org/packages/d6/c6/1289f2cd02645c70155152b86126d36cff05b1311e54579d9c97354e623d/django-secure-js-login-0.2.0.tar.gz" } ], "0.3a0": [ { "comment_text": "", "digests": { "md5": "a4dc13bbb53f6a072bdb8899a1474ef5", "sha256": "51972b5374cfb57c8b3ccda690974fbac09b786f4007608cdc8932aee2d6d36a" }, "downloads": -1, "filename": "django_secure_js_login-0.3a0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "a4dc13bbb53f6a072bdb8899a1474ef5", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 92787, "upload_time": "2015-07-26T20:29:57", "url": "https://files.pythonhosted.org/packages/62/3d/99c8881ece31b3099d7b61d040264e8b29f1800053fe4afcf573b489d5d8/django_secure_js_login-0.3a0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "cecedfedd7f80bd7b79016c307e80d0a", "sha256": "e55c90f4cf8a1f57b56e4bb3e391f05a8a06aa41ad4013addbfebbfd7edcf0e7" }, "downloads": -1, "filename": "django_secure_js_login-0.3a0-py3.4.egg", "has_sig": false, "md5_digest": "cecedfedd7f80bd7b79016c307e80d0a", "packagetype": "bdist_egg", "python_version": "3.4", "requires_python": null, "size": 71942, "upload_time": "2015-07-26T20:30:03", "url": "https://files.pythonhosted.org/packages/c0/9f/71eda2c2eed52f9388ae1f9c48b6c31067731e752a9b110f0db6eefabd9c/django_secure_js_login-0.3a0-py3.4.egg" }, { "comment_text": "", "digests": { "md5": "0414c4ab47407cd6634994a6ba7733f4", "sha256": "f8cc42d8c8e273772fe8365cc33b546f8eea796a2d2fb0aa756f623c5e8399d9" }, "downloads": -1, "filename": "django-secure-js-login-0.3a0.tar.gz", "has_sig": false, "md5_digest": "0414c4ab47407cd6634994a6ba7733f4", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 60271, "upload_time": "2015-07-26T20:30:08", "url": "https://files.pythonhosted.org/packages/26/23/9d1d41238166246e8e34ea7620588909f815ba08978a70122ecf22439b1b/django-secure-js-login-0.3a0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "04d0d7cbb0c115ea10ca6168eab97e9d", "sha256": "09c44c80bc01edbd73346b7bee8b9780a20a0c9f80fa708f46903c785394f9cc" }, "downloads": -1, "filename": "django_secure_js_login-0.2.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "04d0d7cbb0c115ea10ca6168eab97e9d", "packagetype": "bdist_wheel", "python_version": "3.4", "requires_python": null, "size": 72583, "upload_time": "2015-05-09T23:42:21", "url": "https://files.pythonhosted.org/packages/71/34/e0ec3ec53c83a148cb71cf48da19dd711841b53e09d9139a99ee33542261/django_secure_js_login-0.2.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "00d441c179d68f41616c1491ce812adc", "sha256": "689cf5343b824f63c1e78b61283c578cbcedce6e0b7e3e4477146ff719878634" }, "downloads": -1, "filename": "django-secure-js-login-0.2.0.tar.gz", "has_sig": false, "md5_digest": "00d441c179d68f41616c1491ce812adc", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 43177, "upload_time": "2015-05-09T23:42:17", "url": "https://files.pythonhosted.org/packages/d6/c6/1289f2cd02645c70155152b86126d36cff05b1311e54579d9c97354e623d/django-secure-js-login-0.2.0.tar.gz" } ] }