home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 35 Internet
/
35-Internet.zip
/
srev13g.zip
/
dynpwd.rsp
< prev
next >
Wrap
Text File
|
1999-04-18
|
18KB
|
443 lines
<!-- This is the default document/script used by the DYNPWD; the
SRE dynamic passwords facility.
You can customize the BODY of this,
but please note code that should NOT be modified -->
<HTML>
<HEAD>
<!-- ****************************** BEING NON-CHANGEABLE CODE ************** -->
<SCRIPT>
<!--
// DO NOT CHANGE THESE LINES (they are set dynamically!!!
var appname="##APPNAME" // the application that needs a dynamic password
var theip="##THEIP" // the client's ip address
var tstamp="##TSTAMP" // a time stamp
var newlocation="##NEWLOCATION" // go here on submission
var status_message="##MESSAGE" // a status message
// ----------------------------------------------------
// ------------- do NOT modify this <SCRIPT>
/*
* md5.jvs 1.0b 27/06/96
*
* Javascript implementation of the RSA Data Security, Inc. MD5
* Message-Digest Algorithm.
*
* Copyright (c) 1996 Henri Torgemane. All Rights Reserved.
*
* Permission to use, copy, modify, and distribute this software
* and its documentation for any purposes and without
* fee is hereby granted provided that this copyright notice
* appears in all copies.
*
* Of course, this soft is provided "as is" without express or implied
* warranty of any kind.
*/
function array(n) {
for(i=0;i<n;i++) this[i]=0;
this.length=n; }
/* Some basic logical functions had to be rewritten because of a bug in
* Javascript.. Just try to compute 0xffffffff >> 4 with it..
* Of course, these functions are slower than the original would be, but
* at least, they work!
*/
function integer(n) { return n%(0xffffffff+1); }
function shr(a,b) {
a=integer(a);
b=integer(b);
if (a-0x80000000>=0) {
a=a%0x80000000;
a>>=b;
a+=0x40000000>>(b-1); }
else
a>>=b;
return a; }
function shl1(a) {
a=a%0x80000000;
if (a&0x40000000==0x40000000)
{ a-=0x40000000;
a*=2;
a+=0x80000000; }
else
a*=2;
return a; }
function shl(a,b) {
a=integer(a);
b=integer(b);
for (var i=0;i<b;i++) a=shl1(a);
return a; }
function and(a,b) {
a=integer(a);
b=integer(b);
var t1=(a-0x80000000);
var t2=(b-0x80000000);
if (t1>=0)
if (t2>=0)
return ((t1&t2)+0x80000000);
else
return (t1&b);
else
if (t2>=0)
return (a&t2);
else
return (a&b); }
function or(a,b) {
a=integer(a);
b=integer(b);
var t1=(a-0x80000000);
var t2=(b-0x80000000);
if (t1>=0)
if (t2>=0)
return ((t1|t2)+0x80000000);
else
return ((t1|b)+0x80000000);
else
if (t2>=0)
return ((a|t2)+0x80000000);
else
return (a|b); }
function xor(a,b) {
a=integer(a);
b=integer(b);
var t1=(a-0x80000000);
var t2=(b-0x80000000);
if (t1>=0)
if (t2>=0)
return (t1^t2);
else
return ((t1^b)+0x80000000);
else
if (t2>=0)
return ((a^t2)+0x80000000);
else
return (a^b); }
function not(a) {
a=integer(a);
return (0xffffffff-a); }
/* Here begin the real algorithm */
var state = new array(4);
var count = new array(2);
count[0] = 0;
count[1] = 0;
var buffer = new array(64);
var transformBuffer = new array(16);
var digestBits = new array(16);
var S11 = 7; var S12 = 12; var S13 = 17;
var S14 = 22; var S21 = 5; var S22 = 9;
var S23 = 14; var S24 = 20; var S31 = 4;
var S32 = 11; var S33 = 16; var S34 = 23;
var S41 = 6; var S42 = 10; var S43 = 15;
var S44 = 21;
function F(x,y,z) {return or(and(x,y),and(not(x),z)); }
function G(x,y,z) {return or(and(x,z),and(y,not(z))); }
function H(x,y,z) {return xor(xor(x,y),z); }
function I(x,y,z) {return xor(y ,or(x , not(z))); }
function rotateLeft(a,n) {return or(shl(a, n),(shr(a,(32 - n)))); }
function FF(a,b,c,d,x,s,ac) {
a = a+F(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a+b;
return a; }
function GG(a,b,c,d,x,s,ac) {
a = a+G(b, c, d) +x + ac;
a = rotateLeft(a, s);
a = a+b;
return a; }
function HH(a,b,c,d,x,s,ac) {
a = a+H(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a+b;
return a; }
function II(a,b,c,d,x,s,ac) {
a = a+I(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a+b;
return a; }
function transform(buf,offset) {
var a=0, b=0, c=0, d=0;
var x = transformBuffer;
a = state[0];
b = state[1];
c = state[2];
d = state[3];
for (i = 0; i < 16; i++) {
x[i] = and(buf[i*4+offset],0xff);
for (j = 1; j < 4; j++) {
x[i]+=shl(and(buf[i*4+j+offset] ,0xff), j * 8); } }
/* Round 1 */
a = FF ( a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
d = FF ( d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
c = FF ( c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
b = FF ( b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
a = FF ( a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
d = FF ( d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
c = FF ( c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
b = FF ( b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
a = FF ( a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
d = FF ( d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
c = FF ( c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
b = FF ( b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
a = FF ( a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
d = FF ( d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
c = FF ( c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
b = FF ( b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
/* Round 2 */
a = GG ( a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
d = GG ( d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
c = GG ( c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
b = GG ( b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
a = GG ( a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
d = GG ( d, a, b, c, x[10], S22, 0x2441453); /* 22 */
c = GG ( c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
b = GG ( b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
a = GG ( a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
d = GG ( d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
c = GG ( c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
b = GG ( b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
a = GG ( a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
d = GG ( d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
c = GG ( c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
b = GG ( b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
/* Round 3 */
a = HH ( a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
d = HH ( d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
c = HH ( c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
b = HH ( b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
a = HH ( a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
d = HH ( d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
c = HH ( c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
b = HH ( b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
a = HH ( a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
d = HH ( d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
c = HH ( c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
b = HH ( b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
a = HH ( a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
d = HH ( d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
c = HH ( c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
b = HH ( b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
/* Round 4 */
a = II ( a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
d = II ( d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
c = II ( c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
b = II ( b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
a = II ( a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
d = II ( d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
c = II ( c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
b = II ( b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
a = II ( a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
d = II ( d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
c = II ( c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
b = II ( b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
a = II ( a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
d = II ( d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
c = II ( c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
b = II ( b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
state[0] +=a;
state[1] +=b;
state[2] +=c;
state[3] +=d; }
function init() {
count[0]=count[1] = 0;
state[0] = 0x67452301;
state[1] = 0xefcdab89;
state[2] = 0x98badcfe;
state[3] = 0x10325476;
for (i = 0; i < digestBits.length; i++)
digestBits[i] = 0; }
function update(b) {
var index,i;
index = and(shr(count[0],3) , 0x3f);
if (count[0]<0xffffffff-7)
count[0] += 8;
else {
count[1]++;
count[0]-=0xffffffff+1;
count[0]+=8; }
buffer[index] = and(b,0xff);
if (index >= 63) {
transform(buffer, 0);
} }
function finish() {
var bits = new array(8);
var padding;
var i=0, index=0, padLen=0;
for (i = 0; i < 4; i++) {
bits[i] = and(shr(count[0],(i * 8)), 0xff); }
for (i = 0; i < 4; i++) {
bits[i+4]=and(shr(count[1],(i * 8)), 0xff); }
index = and(shr(count[0], 3) ,0x3f);
padLen = (index < 56) ? (56 - index) : (120 - index);
padding = new array(64);
padding[0] = 0x80;
for (i=0;i<padLen;i++)
update(padding[i]);
for (i=0;i<8;i++)
update(bits[i]);
for (i = 0; i < 4; i++) {
for (j = 0; j < 4; j++) {
digestBits[i*4+j] = and(shr(state[i], (j * 8)) , 0xff); }
} }
/* End of the MD5 algorithm */
function hexa(n) {
var hexa_h = "0123456789abcdef"; var hexa_c=""; var hexa_m=n;
for (hexa_i=0;hexa_i<8;hexa_i++) {
hexa_c=hexa_h.charAt(Math.abs(hexa_m)%16)+hexa_c;
hexa_m=Math.floor(hexa_m/16); }
return hexa_c; }
var ascii="01234567890123456789012345678901" +
" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"+
"[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
function MD5(your_pwd) {
var l,s,k,ka,kb,kc,kd;
init();
for (k=0;k<your_pwd.length;k++) {
l=your_pwd.charAt(k);
update(ascii.lastIndexOf(l)); }
finish();
ka=kb=kc=kd=0;
for (i=0;i<4;i++) ka+=shl(digestBits[15-i], (i*8));
for (i=4;i<8;i++) kb+=shl(digestBits[15-i], ((i-4)*8));
for (i=8;i<12;i++) kc+=shl(digestBits[15-i], ((i-8)*8));
for (i=12;i<16;i++) kd+=shl(digestBits[15-i], ((i-12)*8));
s=hexa(kd)+hexa(kc)+hexa(kb)+hexa(ka);
return s; }
function comp_md5(avalue,setit)
{aggx=avalue
if (setit==1){aggx=theip + '_'+ tstamp + '_' + avalue}
zaa=MD5(aggx.toUpperCase())
return zaa }
function byebye(aa)
{
p1=appname + "=" +tstamp + "_" + document.askmd5.session_key.value + "; PATH=/ "
document.cookie=p1
window.location.href=newlocation
return false
}
// -->
</SCRIPT>
<!-- ****************************** END OF NON-CHANGEABLE CODE ************** -->
<!-- You can modify the remainder of the <HEAD> -->
<TITLE>Secondary logon </TITLE>
</HEAD>
<!-- ================================================= -->
<!-- You can modify the <BODY> of this document, except where noted -->
<BODY BGCOLOR="#FFFFFF">
<!-- Javascript required!
You can change the following if you want.
You can even convert it to HTML (and not use document.writeln)
but be sure to retain the onClick and onSubmit attributes
-->
<script>
document.writeln('<H2><a name="top">'+appname+': Session key (password) required</a></H2>')
document.writeln('<em>' + status_message + '</em><p>')
document.writeln('<FORM name="askmd5" onSubmit="byebye() ; return false">')
document.writeln(" 1) Enter your " + appname + " password: ")
document.writeln(' <INPUT type="text" name="your_pwd" value="" size=20>')
document.writeln(' <INPUT type="button" value="2) click here to generate your session key"')
document.writeln(' onclick="document.askmd5.session_key.value=comp_md5(document.askmd5.your_pwd.value,1)">')
document.writeln('<p> ... your <a href="#specs">session key is</a>: ')
document.writeln(' <INPUT type="text" name="session_key" value="" size=35>)')
document.writeln(' <br><input type="submit" value="3) then click here to return this session key to ' + appname + '">')
document.writeln('</FORM>')
</script>
<!-- This version of DYNPWD REQUIRES a javascript compliant browser.
It is possible to use non-javascript (but cookie compliant) browsers,
but since it would require several exchanges, we don't bother.
You can customize the NOSCRIPT if you want.
-->
<noscript>
<blockquote>
Unfortunately, your browser does not support JavaScript --
you will not be able to use this application.
</blockquote>
</noscript>
<!-- you can safely remove or modify the following description -->
<hr>
<h3><a name="specs">Technical specs </a></h3>
The <tt>session key</tt> is a <em>dynamic, encrypted password</em> --
it changes from day to day (and from machine to machine), and
is encrypted for safe passage over the Internet. Use of a dynamic
password, while not as secure as SSL, does solve many of the access
problems associated with the standard ("basic") authentication methods
used by most (http/1.0) browsers. In particular, "man in the middle" attacks
(conducted by anyone who can monitor communications from you to a web site)
are significantly more difficult.
<p>
To return this dynamic, encrypted password to this server, you <b>must</b> be
using a cookie-capable browser that understands JavaScript; basically,
NetScape 2.0 and above.
<blockquote>http/1.1 browsers and servers support "digest" authentication, which also
entails the use of "dynamic, encrypted" passwords. As http/1.1 browsers become
more widely adopted, the need for 3rd party solutions (such as this
HTML/JavaScript/cookie approach) will disappear. </blockquote>
<h3>Implentation notes</h3>
The <tt>session-key</tt>
is based on a <tt>shared secret</tt> known to only the client and the server.
This need not
be the same as the "logon" password required to gain access to a server's
basic resource (the password entered in your browsers' username/password
authentication box). In fact, since a "logon" password is transmitted without
any encoding, good practice suggests that the <tt>shared secret</tt>
should <b>never be used</b> as a "logon" password.
<blockquote>Many sites will use a multi-step process:<ol compact>
<li>A standard ("basic") logon, where you provide a username and a "logon" password
in the browsers authentication pop-up window.
<li>A request for a session-key, at which point you enter the <tt>shared secret</tt>.
<li>The server uses the username/password (from step 1) to lookup your <tt>shared
secret</tt> (alternatively, there may be a single shared secret for all clients requesting
a given resource).
<li> This shared secret is used to verify the session-key.
</ol>
</blockquote>
<h3>The encryption method</h3>
The session key is computed using an MD5 hash of the following:
<menu><li>your IP-address
<li>the timestamp
<li>your <tt>Shared-secret</tt> (it will be converted to upper case)
</menu>
In particular:<tt> session_key=md5("IP-address_timestamp_Shared-secret")</tt>
<script>
document.writeln('<p>For example, if:')
document.writeln('<form ACTION="" name="dasample"> <menu>')
document.writeln('<li>IP_Address=<tt> '+ theip + '</tt>')
document.writeln('<li>Timestamp=<tt>' + tstamp + '</tt>')
document.writeln('<li>Shared-secret=<tt>goose2</tt>')
document.writeln('</menu>')
document.writeln('then <menu>')
aa=theip + '_' + tstamp + '_' + 'goose2'
document.writeln('<li><tt>session_key=md5("'+aa+'")</tt>')
document.writeln('<li><input type="checkbox" value=1 ')
document.writeln(' onClick="document.dasample.sampkey.value=comp_md5(aa,0);return true">')
document.writeln('check to compute sample <tt>session key</tt> ---> ')
document.writeln('<input type="text" name="sampkey" size=24>')
document.writeln('</menu></form> ')
</script>
<a href="#top">top</a>
</body> </HTML>