search

gammazero / nexus

Full-feature WAMP v2 router and client written in Go
MIT License
266 stars 58 forks source link

SignChallenge using PBKDF2? #66

Closed igrek8 closed 6 years ago

igrek8 commented 6 years ago

Is it possible to add support for PBKDF2?

gammazero commented 6 years ago

That should be possible. I will look into adding that. Are you asking for this to be built into nexusd, or are you asking for the API to change to make is easier to add your own challenge signing implementation?

gammazero commented 6 years ago

Router Support

The router library already supports everything needed for using PBKDF2 keys. Keys stored on the server would normally have already have been computed using PBKDF2 and stored on disk. These derived keys, and their salting info, would normally be read from disk, and supplied to the router via the KeyStore API. The KeyStore API already supports supplying salting data, and the CRAuthenticator API already includes that in the challenge message: https://github.com/gammazero/nexus/blob/master/router/auth/crauth.go#L61-L66

If your router did need to compute derived keys, then your KeyStore implementation's AuthKey() function can call the pbkdf2.Key() function, provided by "golang.org/x/crypto/pbkdf2", to compute derived keys on the fly if this is necessary.

dk := pbkdf2.Key([]byte(password), salt, iterations, keylen, sha256.New)

The key returned by AuthKey() is used by the router to compute the challenge signature that is compared with what the client returns.

Client Support

It is up to your client implementation to provide the method that handles the challenge from the router, which may include asking the user for a password and computing the derived key from the password.

Your client's auth handler function for "wampcra", defined in the ClientConfig, determines how the client handles the challenge message. When password salting info is included in the challenge message, the client can use this, with a user-supplied password, to compute the derived key using pbkdf2.Key(), and then pass that as the key to crsign.SignChallenge().

gammazero commented 6 years ago

I have created a PR that addresses the need for clients to create keys with PBKDF2. I have created a new utility function crsign.RespondChallenge(), that takes a password and the challenge message from the router. If the challenge message contains salt info, then the challenge string is signed with a key created from the supplied password and salting info from the challenge message using PBKDF2.

This is implemented in PR https://github.com/gammazero/nexus/pull/68

gammazero commented 6 years ago

PR merged. API documented here: https://godoc.org/github.com/gammazero/nexus/wamp/crsign#RespondChallenge and in wiki: https://github.com/gammazero/nexus/wiki/Auth-Library#client-side-authenticator

Closing issue.