How javascript object is secured?

11/2/2013 4:52:14 PM
Gravatar
Total Posts 3

How javascript object is secured?

Assume we have a web form which needs a token to login or sign data,

a valid user connects the token and login by a web browser (jquery + silverlight or java).

I think it will be done by creating an object and sending it to web server.

If that's so, what if someone mocks the javascript object and creates an object (for example in chrome Developer tools) and pretends it is taken by a token?

11/2/2013 5:35:39 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: How javascript object is secured?

First of all we should clarify the context where the scenario you thought is working.

Our JQuery plugin (both Silverlight or Java) works on the client side. It doesn't send any data to the web server.

The context is: 

1) the token is connect on the client side

2) the JQuery Plugin  works in the client side browser and doesn't send any data to the web server.

In this scenario the JavaScript objects are created in the browser and they are connected to the underlying PKCS#11 module that is running on the client side. If you try to create fake javascript objects they aren't connected to the underlying PKCS#11 and they cannot do any signature or something else related to the token.

11/2/2013 5:48:01 PM
Gravatar
Total Posts 3

Re: How javascript object is secured?

For example in a Login scenario, an application forces clients to use tokens to login. So:

1- the token is connected in client side

2- client logins to token by javascript + silverlight

Then how the application should be aware that client did a successful login to token?

Shouldn't it be done by a javascript object, like this:

{

 successfulLogin: true,

 expireDate: 2014/1/1,

 ....

}

Or there is another way to notify the webserver that a successful login happened on client side and let the user to login?

11/2/2013 6:09:14 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: How javascript object is secured?

The way you thought to send the authentication token to the server is very simple and very easy to hack.

In a Secure Login scenario there are two ways to make a secure authentication:

 

1) basic authentication with user-password

- the token contains the user and password protected by a PIN

- the user connects the token and types the PIN

- you call in javascript the Login function to verify the PIN

- if the verification succeeds you read the data object containing username and password

- you calculate the hash on the password, for example SHA1(password)

- you send your authentication token to the server:

 {
   username: <username>,
   password: <base64 hashed password>
   loginDateTime: 2014/1/1,12.00.00
   ....
}

- on the server side you check the received authentication token matching the hashed password with the one stored in the user's profile

 

1) strong authentication with challenge-response

- the token contains the username and the user's private key (RSA or ECC) protected by a PIN

- the server added in the web page a challenge like this (each web page will have a different challenge):

 var challenge = "<challenge>"; 

- the user connects the token and types the PIN

- you call in javascript the Login function to verify the PIN

- if the verification succeeds you read the data object containing the username and produce your own challenge

var mychallenge = "<random challenge>";

- you call the sign function on the string challenge + mychallenge to produce the response

 var signature = session.Sign("<challenge>" + "<mychallenge>"); 

- you send your authentication token to the server:

{
   username: <username>,
   clientChallenge: <mychallenge>
   signature: <base64 signature>
   loginDateTime: 2014/1/1,12.00.00
   ....
}
- on the server side you check the received signature by verifying it using the user's public key (stored in the user's profile) and the client challenge.
11/3/2013 12:44:47 PM
Gravatar
Total Posts 3

Re: How javascript object is secured?

In the first scenario:

- you send your authentication token to the server:
{
   username: <username>,
   password: <base64 hashed password>
   loginDateTime: 2014/1/1,12.00.00
   ....
}

How to send this data to server? If it is by javascript, what if someone creates a fake javascript object containing this data? A hashed password can be captured once and later the user can creates an object containing same hashed password and login without the token.

11/4/2013 10:29:30 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: How javascript object is secured?

What you mentioned is related to any Basic Authentication, when username and hashed password is sent to the server not only the the one done by a token with NCryptoki.

To avoid from that the only solutions are Strong Authentication (via challenge-response) and OTP.

 

2/18/2014 5:55:54 PM
Gravatar
Total Posts 2

Re: I need JQUERY please help..

Hi, i need buy this product JQuery Plugin, but I have a question. I Need read certificate of Etoken pro PKCS11, and of this certificate I need obtain the CN .. If this possible?? or Extract the Subject of this certificate??