Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
authentication algorithm
hartill at ooo
Jul 10, 1995, 2:59 PM
Post #1 of 6 (676 views)
Permalink
Is it possible to have authentication based on a simple algorithm ?

Here's the scenario,

We have some URLs which can ultimately point to,
a) some "old" info
b) some "new" info

The new info needs to be accessible only by the author of the info
(or www admin). Authors get emailed a "key" (password) to unlcok the
protection.

We don't want to setup a database of passwords, we just need a simple
system whereby the author can be asked for a "name and password" and
an unpublished algorithm checks that the password matches the name.

If that's no clear, here's an example...
password = name + 1 (e.g. abcdef -> bcdefg)


Can it be done ? if not it might be worth finding a way
to get Apache to do it.


rob
--
http://nqcd.lanl.gov/~hartill/
Re: authentication algorithm [ In reply to ]
hartill at ooo
Jul 10, 1995, 3:14 PM
Post #2 of 6 (669 views)
Permalink
A generic way to do this would be to allow a routine/program
to be configured to handle authentication.

Pass it arguments of "name" and "password". If it returns 1 then authentication
was succesful, 0 means it failed.
One could then have any authentication system imaginable, and even have
different systems for different regions of the server based on
config/.htaccess information.

This is my first trip into authentication territory, so be gentle if
any of this already exists etc :-)

rob
Re: authentication algorithm [ In reply to ]
hartill at ooo
Jul 10, 1995, 4:15 PM
Post #3 of 6 (668 views)
Permalink
> From: Rob Hartill <hartill@ooo.lanl.gov>
> Date: Mon, 10 Jul 95 14:59:36 MDT
>
> Is it possible to have authentication based on a simple algorithm ?
>
> In Shambhala, you can write a module which does it however you like.
> (DBM auth is a separate module, for instance, and the rest of the
> server knows nothing about it). However, I'm not sure what security
> the scheme outlined below would offer over simply setting up a group
> account with the standard mechanisms...

AFAIK, existing authentication requires a database of name/passwords.
We don't want to maintain such a database, no matter how simple it is.
We just need a password checker which uses a name->password algorithm.

> If that's no clear, here's an example...
> password = name + 1 (e.g. abcdef -> bcdefg)
>
> So, anyone who knows this rule can get in using any username?

The rule will not be publicised.
We're not trying to make a secure system here, just keep impatient
physicists from polling our site looking for any kind of early info about
papers from their rivals... Our URLs contain a number which increases
for each new paper, so people just keep adding 1 and hitting our server in
the hope that they can find a rival's paper half a day before it is
announced.

We want to be able to let authors test their submissions via the web
(and fix things accordingly) whilst locking out all the impatient spies.

Only the author will be told name/password to use. The algorithm we use
will be simple but "impossible" to crack... nobody will see enough examples
to find a pattern. If it gets cracked, we modify it. Anyone smart
enough to crack the algorithm won't need to spy on their rivals :-)

rob
Re: authentication algorithm [ In reply to ]
hartill at ooo
Jul 10, 1995, 4:22 PM
Post #4 of 6 (670 views)
Permalink
Also, the cgi-scripts we use will check that the username matches
the paper number - so knowing another name/password pair won't be a
loophole others could use.

rob
Re: authentication algorithm [ In reply to ]
rst at ai
Jul 10, 1995, 5:49 PM
Post #5 of 6 (669 views)
Permalink
From: Rob Hartill <hartill@ooo.lanl.gov>
Date: Mon, 10 Jul 95 14:59:36 MDT

Is it possible to have authentication based on a simple algorithm ?

In Shambhala, you can write a module which does it however you like.
(DBM auth is a separate module, for instance, and the rest of the
server knows nothing about it). However, I'm not sure what security
the scheme outlined below would offer over simply setting up a group
account with the standard mechanisms...

If that's no clear, here's an example...
password = name + 1 (e.g. abcdef -> bcdefg)

So, anyone who knows this rule can get in using any username?

rst
Re: authentication algorithm [ In reply to ]
rst at ai
Jul 10, 1995, 5:51 PM
Post #6 of 6 (667 views)
Permalink
From: Rob Hartill <hartill@ooo.lanl.gov>
Date: Mon, 10 Jul 95 15:14:28 MDT

A generic way to do this would be to allow a routine/program
to be configured to handle authentication.

Call it a "module", and Shambhala has it now... unfortunately, the
interface is a little clunkier right now than it absolutely has to be
(and isn't really written up in the API doc yet).

Pass it arguments of "name" and "password". If it returns 1 then authentication
was succesful, 0 means it failed.
One could then have any authentication system imaginable, and even have
different systems for different regions of the server based on
config/.htaccess information.

This is my first trip into authentication territory, so be gentle if
any of this already exists etc :-)

rob

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal