Dear The Internet

Thu Jul 25, 2013

Dear The Internet,

I see you're having security problems, so I'm going to let you in on a technique for doing proper authentication. I've discussed it before, but I get the feeling you thought I was trafficking in trade secrets, and scrupulously decided not to hear too much. Let me be clear that this is public knowledge, and is meant for sharing.

Proper Authentication

To start with, your server should have a public/private keypair, and so should your users. When a user registers, ask them for their public key, and publish the server's public key in a few disparate places on the web. Then, when a user wants to log in

  1. the user specifies their account with an account name
  2. the server generates a piece of random state, encrypts it with the accounts' public key, signs it, and sends both the cyphertext and the signature to the client
  3. the client verifies the signature, decrypts the cyphertext message, signs the resulting cleartext and sends the signature back to the server
  4. the server verifies the signature against the state it sent out for that account

Assuming everything went well, the server can act on a successful authentication.

What just happened?

There! That's the secret! Now you'll never fuck it up again!

This is a way to prevent any further "Oh noez, our server got hacked!" garbage forever, because if a server using this auth method got hacked, all the hackers actually got is information that's already public, or can reasonably be.

The user doesn't have to do this manually. It's easy to imagine (though admittedly not easy to build) a series of plugins, one for each browser, that implement key generation, encryption and management for a user without them having to really understand what's inside the black box. Even a stupid, simplified, operationally insecure PK authentication system with full focus on ease-of-use would be better than using passwords on the server side.

Please please consider this, The Internet, I'm getting really worried about you.

Sincerely yours,


Creative Commons License

all articles at langnostic are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License

Reprint, rehost and distribute freely (even for profit), but attribute the work and allow your readers the same freedoms. Here's a license widget you can use.

The menu background image is Jewel Wash, taken from Dan Zen's flickr stream and released under a CC-BY license