THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
Wisec Home SecSearch Projects Papers Security Thoughts
News Search on Wisec


Html form authentication using HMAC

Download HMAuth


HMAC is a good way to authenticate user without exchanging passwords.
Nothing new, ok, but i think that the more this solutions are out the better is.

- Description:

When there is the need to authenticate users from a web page, passwords often are sent on insecure channels, this could lead to have our own passwords sniffed (read CMS & Co.). This is a way to avoid the passage of passwords from a user login html form on an insecure channel.

- How system works:

To authenticate a user without sending the password, the server sends a random string. When the user types and sends the password by the browser cipher it by using hmac (sha1 - yes is broken, but it is an example) and a javascript function and sends to the server the HMAC digest. The server checks if the digest generated by the client is the same as the one generated in the same way by the server and authenticate the user. Example Given: -------------index.php----------------------------------------------------- <? require_once(""); $password="123"; if(!isset($_POST['auth'])) { echo "<html> <body>"; echo '<h2>Autenticazione</h2> <form name="c" action="" method=post >'; echo print_hmauth_input("c"); echo "</form> </body> </html>"; } else if( test_hmauth($_POST['auth'],$password,$_SESSION['message'])) echo "ok"; else header("Location: ".$_SERVER['PHP_SELF']); ?> ------------------------------------------------------------------

- Final Note #1:

Sometimes it could be a good choice tell web users that their passwords won't go anywhere around the Internet... If you like (that's a personal choice) you can put a little banner which informs you are adopting HMAuth on your site. Just insert the following html code: <div><a href="" title="Shhh...this Site Doesn't Send Any Password On The Internet!"> <img src="/images/hmauth.jpg" alt="HMAuth by - The Wise Security" longdesc="This Site Uses HMAuth, a User Authentication System That Doesn't Send Any Password On The Internet!" /> </a></div> you can chooose one of these three banners : 1. images/hmauth.jpg : static jpg 2. images/hmauth_shh.jpg : static 3. images/hmauth.gif : animated gif (two frames)
HMAuth by - The Wise Security HMAuth by - The Wise Security HMAuth by - The Wise Security

- Final Note #2 - A False Sense Of Security.

Warning!!!! This solution is useful only if you don't have the chance to use a https secure channel, or use it as an additional feature to your https web solution. You must intend this solution as an additional value to your code... Don't think HMAuth is the latest solution to password sniffing problems!

- Final Note #3 - License and use:

This program is GPL 2.0 Licensed (, even because it's not all mine...
Good authentication!
Stefano Di Paola

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.