Input Hash
this site is providing information about a proposed HTML extension which shall make the transmission and handling of passwords and similar data more secure.
The basic idea is to introduce a new element similar to the known password box, which provides a better security and encryption however. This element should be an input control of the type "hash".
<input type="hash" />
Following is a general explanation as well as technical information and comparisons of hash boxes to current techniques.
What should it do and be?
Visually it can be identical to the known "password" type (a textbox masking its characters). The major difference would be its technical implementation respectively its output/result to the server.
What would be those differences?
An input field of the type "password" transmits its content, just as any other regular textbox, unencrypted to the server.
An input field of the type "hash" should hash the given text and transmit only the hash to the server.
What would be the advantages?
As mentioned, a password field only masks its text (so that it cannot be read by bystanders) but does not actually encrypt or hash it, in order to provide a secure transmission.
This does not only mean that the given text is transmitted in plain text over the network (unless SSL is used) but also that the owner or administrator of the destination server can always reveal the actual password. Further it is making replay attacks possible or at least much more simple.
What would be the exact technical implementation?
A hash input field would be defined similarly to a password field via
<input type="hash" hash="md5" salt="" replaysalt="" regexp="" />
- The first attribute (type) would indicate that a hash field should be displayed.
- The second attribute (hash) would indicate the hash algorithm to be used (md5 in this example or also sha1 or any other available on the client).
- The third attribute (salt) would be an optional (but recommended) one, which should provide the result with the typical "hash salt" (to prevent precalculated tables). A site using a salt would always need to indicate the same salt, in order to get the same result.
- The fourth attribute (replaysalt) would be an optional attribute as well, very similar to the third. However in this case the salt should be randomly calculated on each request and stored on the server side (via sessions for example). It is applied to the hash result of the content and the general salt. Its primary use is to prevent replay attacks.
Note: The replay salt should only be used on read or verification processes (like a logon) as otherwise (upon setting the password for example) the server would never be able to determine the original or raw hashcode.
- The fifth attribute (regexp) indicates an optional regular expression which is applied to the entered value to see whether it matches password criteria (length, alphanumeric characters, .....). This is necessary as the control should not allow external code to access the actual value but should offer at the same time a way to ensure certain password rules.
Why a hash field if SSL already provides secure transmissions?
It is correct, that HTTPS provides a secure way between the client and the server. However HTTPS does not prevent that the Administrator of the destination server is acquiring the actual plain text data. A hash input field would do this. Additionally it provides a semi-encryption as well as replay protection to non-SSL connections.
Are there any open technical or security issues?
One is how client side access (via JavaScript for example) to a hash field is handled. While write access should probably always set the passed value, read access is a bit more difficult. Should the returned value be the computed hash or the actual value? Although I tend to the former, this should still be discussed. Related to this would be whether key event handlers should be called or not (they could be used to reveal the entered text).
Should there be other concerns, I'd really welcome opinions.
Concept Implementation
There is a first very basic extension for Firefox 2 available which implements the basic functionality, however without the following features
- Instead of introducing an actual "hash" type the "password" type is extended to support hashing if there is a "hash" attribute.
- Regular Expressions are currently not checked.
- External access to the value is possible.
Please download it here. Alternatively you can also download it from https://addons.mozilla.org/en-US/firefox/addon/6309.
Once you have it installed you can try out the demo below to see how it works.