The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Authenticate opened web page

I am developing a web-based application. The home page is very simple, no images. Just a banner on top and Login box. I am wondering if someone hacks it and a fake page opens, how will I be able to differentiate whether the page opened is from my site or a fake one.

I am planning to keep a public key on the server database. It will create a time stamp string and encrypt using my public key. When the home page will open, I'll display this encrypted string on the page. I will copy the encrypted string from the page and decrypt using a private key that I have in my personal computer. If the time stamp comes out to be different than that of current date, it means it is a fake page.

Please suggest how to authenticate the opened page.
Rohit
Monday, October 20, 2008
 
 
If this is not a homework question...

...why not just use one of the numerous standard authentication mechanisms that everyone else uses?
Scorpio Dragon Send private email
Monday, October 20, 2008
 
 
Rohit, you're not understanding the difference between the use cases of encryption and signatures.

Encryption works by using the public key to sign the message.  You then need the private key to view it, but anyone else can generate arbitrary messages with the same public key. 

Verifying a message has not been tampered with requires signing with the private key.  If your private key is on a server which just got compromised, it is not private anymore. :)

In general, the level of security you want is not possible.  The big reason is that any attacker can playback whatever you require to pass the "Is this site from me?" test and THEN include arbitrary bad behavior at a level which you aren't checking.
Patrick McKenzie (Bingo Card Creator) Send private email
Thursday, October 23, 2008
 
 
Of course, you can mitigate "playback" attacks too.
Scorpio Dragon Send private email
Thursday, October 23, 2008
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz