Security in authentication process between Node-Webkit client & Phalcon-Server

Hello everyone!

Let's suppose, that we have node-webkit client, where we using bcrypt-nodejs module (link) to hash user password and transfer that hash to phalcon-server.

The question is: how do i check, that hash, that generated from password on client is valid with hash, that stored in phalcon-server database?

Same, but simplier: how do i check hash with one, that stored in phalcon-server database?

Thank you!


Same message on russian: Привет всем! Предположим, что у нас есть node-webkit клиент, в котором мы используем bcrypt-nodejs модуль (ссылка выше) для того чтобы сгенерировать хеш пароля и передать его на phalcon-сервер.

Вопрос в следующем: каким образом можно проверить полученный с клиента хеш?

Заранее благодарю!

edited Nov '14

My initial thought is that you cannot hash the password client-side and then verify it against the hash stored server-side. My reason for saying that is this: password_verify() (and crypt) takes the plain-text password, and the stored hash, and then uses that information to determine if the password is correct. It doesn't compare two hashes.

The only way that I see this working is if you retrieved the salt and cost used from the hash in the database and sent that to the client so that you can generate an identical hash. Then, you could simply compare and verify the two hashes are the same string.

Are you unable to simply use an SSL and not worry about hashing the password client-side?

Thank you for your comment! I think, i can use SSL, at least at first time. I don't know much about ssl, – if i use self-signed certificate for my domain, will it be atleast secured? Message about unsigned certificate will be ignored by node-webkit.

Also, i'm thinking about implementing Diffie-Helman's algoritm and part of CSRF token method. In DH algorithm, both, client & server will generate private keys, then, common public key, that will allow them to securly transfer sensetive data (such as password).

After successful authentication, server will send token, that will be sent by client in next request. Each time, when client will request something, server will check token, then generate new one & send it to client with requested data. In cases, when package will be lost, client and server will restart DH-algorithm and after that server will generate new token.

At this time i can't figure out exactly, but it seams, that packets moving from node-webkit client to server on https-url. I've tried using wireshark to find something in packets, – or ssl-ecnryption is working, or i didn't configured something.

I've found another way to login user:

  • User submits email address;
  • Server sends message to that email with link for activation session;
  • User goes to check inbox, clicks on link;
  • Opened page will close automaticaly, node-webkit client will apear on top of all windows right after session unlocked.

That's it, no passwords, no usernames, just e-mail address. Whats realy good is that this procedure is «login & confirm email» at once, in few clicks, and, also, no sensetive user data transfered. Only one question at this moment – how many messages i will be able to send in one minute?