No more clear text passwords

Stop the nonsense

No Key Installation

There are two steps to follow in order to install no_key for securing your web application:

a) building the server
b) installing the new safe ‘login’ in your webapp

a) Building no_key_server

  1. Download the latest tgz version of no_key from Github:

  2. Decompress the downloaded tarball:
    $ tar xzvf nokey-<VERSION>.tgz
  3. Get into the newly created directory:
    $ cd nokey-<VERSION>
  4. If you do not have write permission in /etc you need to change the NO_KEY_CONF_FILE constant in the no_key.h file:
    #define NO_KEY_CONF_FILE "/etc/no_key.mod"

    to a directory with write permission like:

    #define NO_KEY_CONF_FILE /my/new/path/to/store/no_key.mod

    it needs not be a read-only file or any secure path

  5. By default, the value of NO_KEY_SIZE constant (in no_key.h) is 1024. You can change this value to 256, 512 and 2048. This will be run-time configurable in future versions.
  6. Build no_key:
    $ make

    If the make succeeds, two executable no_key_server and no_key_client will have been built.

  7. To test no_key_server run:
    $ make test
    ./no_key_client 'Teh password!'
    K: : [546568207061737377726F6421]
    p: : [EF4FBB72BD78ADC40481DC3D879253989433046B463B40ACF558580254E413A59420
    u1: : [CC10D1DD3DB7850CCFEEEBB1DA256CD0FF0E234C3BE17D0B034187E50BEF39CD05D
    q1: : [1D259D69AE894E6019E0A6B4720CB54CA4543D8593D7C23B0CEC0C13D5C47081212
    q2: : [A741DC21757324578BF00E27A59217683CE0BBE2F6F0037D16BC66BAA22619600C7
    q3: : [8A268EA5389BAFE40039ACBCDC6360C405E99F58C36F02A609B1799EB873CE8FB13
    Key: [Teh password!]
    Try ./no_key_client your_password

b) Installing the new safe ‘login’ in your webapp

The web directory contains a safe login example:

  • nokey-config.php: In this file you need to define the value of NO_KEY_SERVER which is the no_key_server path. Usually it will be ../cgi-bin/no_key_server.
  • nokey.php: This file contains the server side of No Key Shamir’s protocol. In this file the function user_authentication($user, $password) is called. This function is implemented in the file your_app.php.
    To add the safe login to your app you will have to replace this function with yours. The authentication function return true if the password is valid and false otherwise.
  • your_app.php: This file pretends the application user authentication. The demo user and password are admin and passw0rd.
  • login.php: This file has a login form (The demo user and password are admin and passw0rd). If the user and password are valid, then a session will be created and it will be redirected to index.php.
  • logout.php: In this file the session is destroyed and the browser is redirected to login.php.