cppwamp icon indicating copy to clipboard operation
cppwamp copied to clipboard

Published 20 hours ago verified publisher icon ecorm

Client-side challenge response authentication

Open ecorm opened this issue 10 years ago • 2 comments

Implement challenge response authentication, as per the advanced spec.

ecorm avatar Apr 05 '15 23:04 ecorm

Client requirements:

  • HELLO.Options.authmethods|list includes "wampcra"
  • HELLO.Options.authid|string is the authentication ID (e.g. username)
  • Receive CHALLENGE messages
  • Compute the HMAC-SHA256 using the shared secret over the challenge.
  • Send AUTHENTICATE messages in response to CHALLENGE
  • Accept WELCOME.Details containing authentication information
  • Allow the client program to forward the challenge to another party. This could be done by registering a callback function.

The client API should also allow the program to pass in a salted password, instead of a verbatim password. This way, the library cannot possibly leak the verbatim password.

Care should be taken so that the secret is wiped (zeroed-out) from memory ASAP.

The spec does not specify what the ABORT.Reason|URI should be if authentication fails. I have raised this issue in https://github.com/tavendo/WAMP/issues/15.

ecorm avatar Apr 07 '15 05:04 ecorm

With the existing authentication API, nothing prevents CppWAMP users from computing the cryptographic signatures themselves using other crypto libraries.

ecorm avatar May 18 '22 02:05 ecorm