Cookie storing password is plain text.
Passwords go over the net unencoded, in plain text.

You don't want to change too much source code just to implement security.

Example custom setting.

Client side might store information that should not be there.

Transparency

Not intrusive on server side or client side.

cryptography signatures
private and public keys
hashing md5 sha
encryption algorithm
rsa dsa

you make a hash of you message, you crypt your hash with a key

basic authentication in http

transparently the zope system would think that the user loggerd in the usual way.

there is an usual case, the user loggs in via a browser, and authenticates against the system.

now there is an authentication server in between

in the browser you have an applet and the applet authenticates against the authentication server. this server talks then to zope (and plone)...

apache would server the applet and between

the browser sends an http request and has not got a cookie already.
the user would then have to use an applet to give his username and the password.
this process unlocks the authentication server for that user.
the applet uses cryptography.
the authentication server checks versus his authentication database.
the auth server uses basic authentication to talk with zope.
the authentication server is also removing cookies (like the ac cookie, authentication cookie) so they will not get through as before.

xmlrpc between proxy and authdatabase http, https, xmlrpc are employed.

existing tools are used
twisted is the reverse proxy
apache is caching http
pyOpenSSL

proxy
session manager recognises timeouts of cookies
authentication manager is the main module for authentication cryptography is done here. access to the database is available through that module
page generator it woule just give thingsl like auth denied or auth successfull, as a html file

browser with scripting and applet abilites


client:
java applet
XUL
JavaScript copy paste the private key as fallback system if java is not available


server:
apache with ssl module
python and twisted
tcpip and thereading in the os
authentication module
pyOpenSSL X509


authorisation is a database with pin <-> user, password

usb tokens (hardware device)

server one on the internet has apache, proxy xmlrpc for zodb access

components work
things are refactored at the moment

have but don't like:
windows only java applet
config is not very readable
config is hard to use

missing parts:
sexy authorization management interface
GnuPG auth modules and keys
XUL or standalone python at client side.

Pilot Systems

source in subversion is not public and it is not open, because it is not clean until now. it will be available soon. licensing needs to be thought about. We want to take over pyOpenSSL, if one knows developers Pilot Systems would like to get in touch with them.

Outlook:
Server side new authentication modules, kerberos, ot tokens

get in touch if you are interested.

adesium
bluedynamics

Questions?

Q: Is there a relation to Cached user folder developers?
A: There is no strong relation.

Q: When will it be available
A: The amount of work is low, but it is a matter of how a project would make implementations possible. It could be finished soon, but maybe some open source developers would help finishing it.

Q: How close is the java applet to be platform independent?
A: Pretty close. It uses proprietary extensions only available in windows java. IT relys on extensions. It is about opening files on the file system and does encryption. We can not do really more.