The way you thought to send the authentication token to the server is very simple and very easy to hack.
In a Secure Login scenario there are two ways to make a secure authentication:
1) basic authentication with user-password
- the token contains the user and password protected by a PIN
- the user connects the token and types the PIN
- you call in javascript the Login function to verify the PIN
- if the verification succeeds you read the data object containing username and password
- you calculate the hash on the password, for example SHA1(password)
- you send your authentication token to the server:
{
username: <username>,
password: <base64 hashed password>
loginDateTime: 2014/1/1,12.00.00
....
}
- on the server side you check the received authentication token matching the hashed password with the one stored in the user's profile
1) strong authentication with challenge-response
- the token contains the username and the user's private key (RSA or ECC) protected by a PIN
- the server added in the web page a challenge like this (each web page will have a different challenge):
var challenge = "<challenge>";
- the user connects the token and types the PIN
- you call in javascript the Login function to verify the PIN
- if the verification succeeds you read the data object containing the username and produce your own challenge
var mychallenge = "<random challenge>";
- you call the sign function on the string challenge + mychallenge to produce the response
var signature = session.Sign("<challenge>" + "<mychallenge>");
- you send your authentication token to the server:
{
username: <username>,
clientChallenge: <mychallenge>
signature: <base64 signature>
loginDateTime: 2014/1/1,12.00.00
....
}
- on the server side you check the received signature by verifying it using the user's public key (stored in the user's profile) and the client challenge.