DSWI
Dead Simple Web Infrastructure
(NOTE: the security hole in the original version of DSSID has been fixed. DSSID is now safe to use (as far as I know). If you find another security flaw (or any other bugs) please let me know.)
DSSID puts an RSA key in your browser so that you can log into sites without a user name and password. Your key becomes your identity. You still have a password, but it is only used to encrypt your key for extra security. Authentication does not depend on your password. Neither your key nor your password ever leave your machine, so even if hackers break into a site they can't steal your login credentials. DSSID can be the last login system you will ever need.
The easiest way to learn about DSSID is to try our demo. It won't look like much (there's no eye candy) but take a look at the source code to see how little of it there is.
How to use DSSID on your own site
Integrating DSSID into your site is Dead Simple: All you need is to put a link on your page that looks like this:<a href=https://secure.dswi.net/dssid/auth?url=CALLBACK_URL&ri=REQINFO>
where CALLBACK_URL is the url of your site, and REQINFO is a comma-separated list of additional information you are requesting like name and email (which are the only two items that are currently supported). In fact, you can copy the source of the demo page onto your own server, or even just onto your hard drive and it should still work (the demo uses Javascript to fill in the CALLBACK_URL field automatically). A user clicks on this link, which directs them to the DSSID site. They authenticate themselves, and their browser is then forwarded to the CALLBACK_URL along with a session identifier (SESSION_ID).
The last step in the process is to verify that the invocation of CALLBACK_URL was legitimate (because anyone can generate a link to CALLBACK_URL, not just the DSSID server). To do that, your application does an HTTP GET on:
https://secure.dswi.net/dssid/verify?sid=SESSION_ID
where SESSION_ID is the value that was sent as the form parameter to your CALLBACK_URL. If the session ID is valid, the DSSID server responds with "valid" plus a list of additional key-value pairs including the user's ID, a time stamp, and any additional information requested like name and email address, e.g.:
valid timestamp: 1348633351.79 uid: BWZDCYMEQR6VCISJKJKGDPBQ75R2F7XV name: Joe User sid: 72ZV7YXMJSHN35DG6RWSZHZWAPXCRGDLThat's it! No more password management, no more choosing a user name, no more "Sorry, that user name is unavailable."
How it works
DSSID uses public key cryptography (specifically, RSA) to authenticate you. The DSSID server sends a randomly generated number (called a cryptographic nonce) to your browser. Javascript code in your browser encrypts the nonce with your private key and sends the result back to the server. The server then decrypts that using your public key to verify that you are you.In order to keep your private key secure, it is locally encrypted using AES-128.
Implementation
DSSID is implemented using Forge, an open-source cryptography package written in Javascript from Digital Bazaar. Forge in turn is implemented using JSBN, a Javascript bignum library. The DSSID code will be released as open source soon, but I want to put a little more polish on it (and add some comments) before releasing it.NOTE: The "keep me logged in" feature at the moment keeps an unencrypted copy of your key in your browser's sessionStorage. This is a possible security risk because, while sessionStorage is supposed to be secure, it is actually not that hard to compromise. In particular, a malicious browser plug-in can easily access sessionStorage. If there is even the remotest change that you may have installed a malicious browser plug-in, or if you just want to be extra careful, do not use "keep me logged in" until I've had a chance to come up with a more secure implementation.
| Please send comments and feedback to me at |
 .
|