PM_RSA(1) Authentication PM_RSA(1)
NAME
pm_rsa - Poor man's RSA. Use RSA to transmit encrypted passwords, but not
to fight men in the middle.
SYNOPSIS
pm_rsa_server [options] [file] [number]
DESCRIPTION
pm_rsa_server is a utility which receives an hex message and decrypts it
using RSA with PKCS-1 padding, by means of a private key. The message is
supposedly the hex dump of the encryption of a plaintex using the corre-
sponding public key (otherwise, it would be noise).
The program is an attempt at providing 'more-than-plaintext'-safe authenti-
cation on the Internet. It is intended to be used wrapped up by a CGI
server (think of a login CGI script), communicating only with the wrapper,
because at the end of the process, the server emits the cleartext message.
It is obvious that some web applications, like blogs, require secret keys,
but not necessarily secrecy of the complete communication channel (as SSL
and TLS provide), because all of the content on those applications is
intended to be public.
Users of webmail servers may also be eager to trade non-privacy of their
mail (letting it go through the web on the clear) for secure authentication
(safe encryption of the login protocol). Actually, they are trading for
nothing nowadays in most cases.
THE PROTOCOL
The server pm_rsa_server expects a message of the appropriate size as an
hex string, and returns the decryption of that message using the specified
private key (or the default /etc/pm_1024). This key has to be stored in the
same computer running the program.
The received message is (should be) the hex dump of the encryption of a
PKCS-1 padded cleartext using the public key (which the user, application,
web browser or whatever should have available).
OPTIONS
pm_rsa_server supports the following options:
-k filename Specify the location of the private key (default
/etc/pm_1024).
-s Run as a server (on LOCALHOST, will not listen on other
interface).
-P port If run as a server, listen on port port. Otherwise, useless.
-d If run as a server, dump each hex message and its decryption
to stderr, otherwise useless.
OUTPUT
On success, pm_rsa_server outputs the decrypted message, if run as a stand-
alone application. If run as a server, it awaits for connections and when
one is accepted, it reads from the client the hex dump of the encrypted
message and returns the decrypted text, closing the connection afterwards.
If run in demo mode (see OPTIONS), it also sends to stderr on the local
server a pair of messages with the hex dump and the cleartext.
DEMO CLIENT
The application includes a program pm_rsa_client to test the server and its
functioning.
EXAMPLES
To try the standalone server, issue the following commands (assumming you
are at the distribution directory, ./pm_1024 is the 'private' key included
in the distribution, which you should never use in production systems).
$ u=`./pm_rsa_client 'my password' $ ./pm_rsa_server -k ./pm_1024 $u my
password
To try the socket server, create the encrypted message
$ u=`./pm_rsa_client 'my password'
start the server:
$ ./pm_rsa_server -k ./pm_1024 -s
and connect to it sending it the encrypted text
$ echo $u | nc localhost 16387
the password should appear before the prompt. To kill the server, issue
$ killall -9 pm_rsa_server
SECURITY
This program does only what is hereby specified. In order to provide no-
reply mechanisms, the wrapper function should create single-use keys or any
other type of key to be padded after the message to be encrypted. This is
not this program's issue because each vendor has its own concerns. In any
case, recall that once a message is encrypted with a public key, it is
usable as is at any time. The no-reply mechanism is not part of RSA per se,
it is part of the security environment.
EXIT STATUS
The exit status is 0 on successful completion and non-zero otherwise.
BUGS
There are no known bugs up to date.
VERSION
1.0
AUTHORS
Pedro Fortuny Ayuso <info at pfortuny.net>
Rafael Casado Sanchez <rafacas at gmail.com>
COPYRIGHT
Copyright (C) 2008 Pedro Fortuny Ayuso and Rafael Casado Sanchez
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
nmctp
No more clear text passwords
Stop the nonsense
About nmctp
nmctp.com is a project to stop the nonsense regarding passwords used in the login protocols of most Web 2.0 projects: they are sent in the clear, shamelessly, with absolutely no care for privacy, and without warning the users.