No more clear text passwords

Stop the nonsense

nokey demo available

18 Mar 2010

A concept test of No-Key is now available. It shows in detail how nokey works internally, with all the operations performed by the browser and the server and the communications between them.
Check it out.

nokey-1.0 released

15 Feb 2010

nokey-1.0 is out! In this release a web example is included. Now, you can add a safe login to your web application using the No Key Shamir's protocol. Here are the installation instructions. Download it and check it out.

Big Integer javascript library changed

12 Mar 2009

We start the concept tests of No Key and Poorman's PKCS with the Leemon Big Integer javascript library. Its code defines a bigInt library for arbitrary-precision integers.

After some tests, we have had to looking for another library because it was very slow and the login process took too much time.

So now we use the jsbn library, which is a pure JavaScript implementation of arbitrary-precision integer arithmetic and after some tests it is pretty faster than the former.

nokey-0.3 and pmrsa-0.3 released

05 Feb 2009

no_key_server and pm_rsa_server can be run as daemons now.

pmrsa-0.2. released

20 Jan 2009

pm_rsa_client has been added. It can be used to test pm_rsa_server:

$ cat pubkey1024.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDphMtNqimaU8NSB7RmTXOqTpvF
UytGgxveBRqU8QlagCFcOJgBRkNQX7yAs1lkG79IuO+R/1h2I4rMrcjQ0Do+Y3rC
nX3bVFNe722o3K2igk4lPEB+RRJ0qu1t4uOozDNJdP66Y1t5pxbiv2GDfyQcu7YL
/4k1KfCGhAQq1pE0kQIDAQAB
-----END PUBLIC KEY-----

$ cat key1024.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDphMtNqimaU8NSB7RmTXOqTpvFUytGgxveBRqU8QlagCFcOJgB
RkNQX7yAs1lkG79IuO+R/1h2I4rMrcjQ0Do+Y3rCnX3bVFNe722o3K2igk4lPEB+
RRJ0qu1t4uOozDNJdP66Y1t5pxbiv2GDfyQcu7YL/4k1KfCGhAQq1pE0kQIDAQAB
AoGAVxc5o3uFDJOU0vEgrM7SBoBOxCciiqe3KvSIV2gV7vS+fGB3AHKuBDnQWceJ
3TYj/wFKCA9NdLIIwBFIReiC769RZ3st3iu6vYA8cpM5gp35lMZ/VPR46DNQD0jo
/JNuzLI+8jqaAkKyHFf6tFQUXli2o9z+UoTn3GZOOc+WyWECQQD391pU35PPKc+Z
SNIwIH7ZVSeJ8QSWcrpOW4WXH4lbPxV80iyYR7Pj+7cfNwWBKR+PCtGX9mRQ2qaX
bH92JaDFAkEA8RWc5dYh4bL2g48IvfqSKex03caGppTevsTzSIQyP2tkqVom1z7K
LLhEIiJx8GYsUOsyJ7PVkbvu5mKrwXFpXQJBAJBlxoCuQdDdtDq7IUtNYREGeaPm
apmB7eQ7f6vlfYNZVRX+/mEfQC5/IsBWtink3K/byPoJTZmX+nMrh34xo1ECQQDX
BJK5/oCbfvUUIvcGEbxY/dbBkfW4DuCXPqtIyvbRz2OpE4m+wfapafMCirwaT9ZI
mWxTMrZRU09gVTKgxhjVAkAUb8/4I4nBorsA89Z9UAnmP6b2SOEroiQNUEfrCg28
4sq0oG5otg98eV1sqXQYmnzkgcQpKgmO4OcufREfgc4c
-----END RSA PRIVATE KEY-----

$ cipher=/pm_rsa_client -k pubkey1024.pem passw0rd
$ echo $cipher
9F3F8C305CF515B18315C51C9DABF36467928DBD72ED78DAEBA6C87B17131436A
38521F24E80588A43707DD0D8645A1704DAFCE62F877E4C9C612C2F21ADF84326
C83239A3BBFF08B597A38089C832A75621C3DEACD27663B977F364095DBE67C973
FBB664D9D0B8595F7D3ACC99B4F5E30B5E6E54632136D1FBDE7A6B6FC407

$ ./pm_rsa_server -k key1024.pem $cipher
passw0rd

pmrsa-0.1 released

16 Jan 2009

pmrsa-0.1 is out. It has pm_rsa_server, a utility which receives an hex message and decrypts it using RSA with PKCS-1 padding, by means of a private key. The message is supposedly the hex dump of the encryption of a plaintex using the corresponding public key (otherwise, it would be noise).

The program is an attempt at providing 'more-than-plaintext'-safe authentication on the Internet. It is intended to be used wrapped up by a CGI server (think of a login CGI script), communicating only with the wrapper, because at the end of the process, the server emits the cleartext message.

It is obvious that some web applications, like blogs, require secret keys, but not necessarily secrecy of the complete communication channel (as SSL and TLS provide), because all of the content on those applications is intended to be public.

Users of webmail servers may also be eager to trade non-privacy of their mail (letting it go through the web on the clear) for secure authentication (safe encryption of the login protocol). Actually, they are trading for nothing nowadays in most cases.

nokey-0.2 released

17 Dec 2008

nokey-0.2 is out. In this release we have added a no_key_client which can be used to test the no_key_server.

$ ./no_key_client passw0rd
K: : [7061737377307264]
p: : [DE52E87DE79677A26247493DC1C39CC2272E63535D742AC0AEA056D78CFDD5B
6DF812998CCDAC0AD43A9D74FCBCB02D437695ADBEA329E29FE3AF342782C54A971
03DBB0955F84C0A001611A18D8A4AF635D697614892D5F0B73F68B428F24F3B5D5E3
3F77F34275E73211BD03DBC7BDE3CEEB82914A69303DA45D1A2BAB2853]
u1: : [A5BDC31B4CC9DF6F67D075C962DD3B381C7AB0EA63C9BDA89B518ACEB8C047E
6E48A14661850B9C5BD1C5BC32C3F0B86F627BE0D042270412ED99F89AB5C1C2BB11F
A6C6F8427F6F88C1E3451D6CCC4F2A74F59E9BB1EC5AC996BB8114E9B902D3015E879
CB135FE4A6BDBF7E8212F2692CD42DB0346A9BCCAA9F83C63FD198D]
q1: : [4D39B5F115B05EDE3180582DD3EA73885CB36FFFDEE002FD93EA0350478E38CFE
6401EC6D7CB00526B3EFD7391CBB8FBDBCB383849BB2EF16B46CDF77AE96C10FAE204A
D32E6BD8C50520EC875EFBDC99318192CDFFE00949D1188175D4DF5E94CC1AB644027
F7480C308368EAD4B2398AFDB2BFA08A568E6719079DD14F278F]
Q2: : [361F9BAC62A177080AE962634701FC9E58EA0B0C8A4F2E4E5B56CFD048ACB5BE8
D2F96C5352A407B8B642985ED9F51009F4E036DC81C5522D0DDA9B90CDF87C86D0B7
72A4BA731FF51DA8269A258023B09A6F377474DFC5FEB8DF98C045D3E8960380E4302
179DE6212BCAF9AE3FD6D7BE3622505D15810741E464A25D975062]
Q3: : [DB0C40D69FBD7C4841CDE6493A8DDCCA4337FDF103B1A2243F83EE32CB8397B7
09221F89E7E2670C7DA27C2D3C2FBC0FD8E57CFC4B4BE568CAF943B8B5ECBCD2B8A9E7
9E7309FD8CF12FCD0CA2E2BE7BE703E91807A6DB6B01E8C3236AD296649A1D2774E8C2
21703271A13E010C3CB82337A3352D26F3925B7A1F6F81336778]
Key: [passw0rd]

nokey-0.1 released

10 Dec 2008

nokey-0.1 is out. The no_key_server is a utility for providing secure authentication through an insecure channel using Shamir’s no key (or three-pass) protocol over the group of units Z/p (p being a large prime number, designated from now on as the modulus).

The advantages of the three-pass protocol for authentication are mainly two: that passwords are not sent in the clear over the communication channel and that it needs no certificates or the overload of Public Key Infrastructure (the authentication server might as well fix a new modulus for each authentication attempt, though this would be very resource-intensive).

Moreover, many of the Web 2.0 services, such as blogs, chat services, and wikis require only secure authentication (in other words, that the login/password pair is only known to the owner) because virtually all of their content is made public.

Users of webmail servers may also be eager to trade non-privacy of their mail (letting it go through the web on the clear) for secure authentication (safe encryption of the login protocol). Actually, they are trading for nothing nowadays in most cases.

nmctp starts

22 Nov 2008

Welcome to no more clear text passwords (nmctp). We are two friends who do not want any password to be trasnmitted in plain text.