PM_RSA(1) Authentication PM_RSA(1) NAME pm_rsa - Poor man's RSA. Use RSA to transmit encrypted passwords, but not to fight men in the middle. SYNOPSIS pm_rsa_server [options] [file] [number] DESCRIPTION pm_rsa_server is a utility which receives an hex message and decrypts it using RSA with PKCS-1 padding, by means of a private key. The message is supposedly the hex dump of the encryption of a plaintex using the corre- sponding public key (otherwise, it would be noise). The program is an attempt at providing 'more-than-plaintext'-safe authenti- cation on the Internet. It is intended to be used wrapped up by a CGI server (think of a login CGI script), communicating only with the wrapper, because at the end of the process, the server emits the cleartext message. It is obvious that some web applications, like blogs, require secret keys, but not necessarily secrecy of the complete communication channel (as SSL and TLS provide), because all of the content on those applications is intended to be public. Users of webmail servers may also be eager to trade non-privacy of their mail (letting it go through the web on the clear) for secure authentication (safe encryption of the login protocol). Actually, they are trading for nothing nowadays in most cases. THE PROTOCOL The server pm_rsa_server expects a message of the appropriate size as an hex string, and returns the decryption of that message using the specified private key (or the default /etc/pm_1024). This key has to be stored in the same computer running the program. The received message is (should be) the hex dump of the encryption of a PKCS-1 padded cleartext using the public key (which the user, application, web browser or whatever should have available). OPTIONS pm_rsa_server supports the following options: -k filename Specify the location of the private key (default /etc/pm_1024). -s Run as a server (on LOCALHOST, will not listen on other interface). -P port If run as a server, listen on port port. Otherwise, useless. -d If run as a server, dump each hex message and its decryption to stderr, otherwise useless. OUTPUT On success, pm_rsa_server outputs the decrypted message, if run as a stand- alone application. If run as a server, it awaits for connections and when one is accepted, it reads from the client the hex dump of the encrypted message and returns the decrypted text, closing the connection afterwards. If run in demo mode (see OPTIONS), it also sends to stderr on the local server a pair of messages with the hex dump and the cleartext. DEMO CLIENT The application includes a program pm_rsa_client to test the server and its functioning. EXAMPLES To try the standalone server, issue the following commands (assumming you are at the distribution directory, ./pm_1024 is the 'private' key included in the distribution, which you should never use in production systems). $ u=`./pm_rsa_client 'my password' $ ./pm_rsa_server -k ./pm_1024 $u my password To try the socket server, create the encrypted message $ u=`./pm_rsa_client 'my password' start the server: $ ./pm_rsa_server -k ./pm_1024 -s and connect to it sending it the encrypted text $ echo $u | nc localhost 16387 the password should appear before the prompt. To kill the server, issue $ killall -9 pm_rsa_server SECURITY This program does only what is hereby specified. In order to provide no- reply mechanisms, the wrapper function should create single-use keys or any other type of key to be padded after the message to be encrypted. This is not this program's issue because each vendor has its own concerns. In any case, recall that once a message is encrypted with a public key, it is usable as is at any time. The no-reply mechanism is not part of RSA per se, it is part of the security environment. EXIT STATUS The exit status is 0 on successful completion and non-zero otherwise. BUGS There are no known bugs up to date. VERSION 1.0 AUTHORS Pedro Fortuny Ayuso <info at pfortuny.net> Rafael Casado Sanchez <rafacas at gmail.com> COPYRIGHT Copyright (C) 2008 Pedro Fortuny Ayuso and Rafael Casado Sanchez Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
No more clear text passwords
Stop the nonsense
About nmctp
nmctp.com is a project to stop the nonsense regarding passwords used in the login protocols of most Web 2.0 projects.