42

Let's say hypothetically I am writing a web application targeting technically inclined, security-conscious users who have no problems generating and using GPG or SSH keys.

Is it possible to use said keys to authenticate with a web application in a secure fashion to replace traditional password-based authentication?

If it is possible, what will the authentication steps look like? Is there perhaps a known good implementation of such an idea for popular languages and platforms like Ruby, .NET, Java or Python?

If it isn't possible, what are the reasons? Is there perhaps a constraint on web browsers accessing the GPG keychain or SSH key file?

  • https://webpg.org/ may be of interest – deed02392 Oct 17 '13 at 13:59
  • Related: [Why are PGP signatures not more widely used as an authentication method?](http://security.stackexchange.com/q/72330/12139) – unor Nov 19 '14 at 11:08
  • 1
    If your users are tech savvy, client certificates may be a better option and they have built-in support in major browsers. – André Borie Jul 28 '16 at 16:28
  • IndieAuth.com is allowing GPG for login, see https://indieauth.com/gpg – I am the author of indieauth-node (WIP) where you will have to sign a JSON WebToken (where the password exists in a session) but basically that is just an extra security layer. – sebilasse Feb 11 '17 at 10:01

3 Answers3

19

For a Web application, the main problem is that the Web site code (Javascript in a browser) is not able to read and write files at will. Well, in general, this is more a boon that a problem, but here it means that the Javascript code will not be able to access SSH or PGP private keys.

There are things which can be done, depending on how much technology-savvy your users are, and how many manual operations they will tolerate:

  • You could use a locally installed browser extension which accesses the SSH or PGP private keys on behalf of the Web site. Preferably, some user control is advisable: we really don't want a browser which will sign things just because a Web site said to do it.

  • The server may act as a SSH server, and requires clients to connect with SSH and key-based client authentication. The user would run SSH in "SOCKS proxy" mode. The Web server itself would listen only to localhost, i.e. be unreachable except through such a local proxy. In this mode, the Web server could even be HTTP, not HTTPS; this would really be replacing SSL with SSH. On the server side, keeping track of users should use mod_ident or something similar (the SSH server knows who the client is, but the information must be forwarded to the HTTP server; fortunately, this is on the same machine, so the Unix-level identity can be used).

  • The Web site could display a "challenge" as a downloadable file with random contents. The user obtains the file, signs it with GnuPG, and pastes the (ASCII-armored) output into a text field on the Web site. The server verifies the signature, and accepts it as authenticating the user (provided that the server already knows the user's public key). Clunky, but works.

A mail-based variant of the above can be advisable, because PGP implementations are often embedded in email software, and also because it opens a possibility of not having to trust an external root CA. It would look like this:

  • User connects to the Web server with HTTPS. The server uses a self-signed certificate. The browser warns about it (the "red scary warning") but allows the user to proceed.

  • In the site, the user enters his name. Then the server sends a signed and encrypted email (with PGP) to the user; the signed email contains a random nonce, and also a copy of the server's SSL certificate thumbprint. The random nonce is also printed out on the Web site itself.

  • The user verifies the PGP signature on the server's email, then checks that the thumbprint matches the one he can see from his browser; this convinces the user that he is seeing the genuine server certificate, so there is no ongoing Man-in-the-Middle attack. (This is where we replace the X.509 CA system with PGP-based validation.)

  • The user also verifies that the nonce displayed on the Web site matches the one he sees in the email (this is important).

  • The user responds to the email by sending its contents back, this time signed with his own PGP private key, and encrypted with the server's public key. The server verifies that email and thus knows that the nonce value was indeed received by the intended user.

  • The server sends the nonce value as a cookie to the user's browser. This allows browsing without pestering the user with further authentication rounds. It is up to the server to decide how long it will accept the cookie as a valid authentication token.

In the above scheme, it is important to notice that by sending back his email response, the user is really authorizing the server to assume that whoever comes back with the nonce (as included in the email) is really the user himself. This is why manually checking that the nonce matches what is shown on the Web page is important.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Great answer as always. I guess this isn't really feasible since the manual operations needed will piss off even the most dedicated of users. –  Oct 17 '13 at 15:23
  • I've been trying to create an instance of your 2nd example with people tunneling in via ssh, and having the webserver use this authentication. However, I can't find any documentation at all on how to use mod_ident. Do you know where I can learn more? – Mala Mar 14 '15 at 23:45
  • "locally installed browser extension which accesses the SSH or PGP private keys on behalf of the Web site" - this is *very* risky. – Federico Aug 19 '16 at 10:59
9

Is it possible to use OpenPGP/SSH key pairs to authenticate with a web application in a secure fashion to replace traditional password-based authentication?

Yes. It is quite possible.

If it is possible, what will the authentication steps look like? Is there perhaps a known good implementation of such an idea for popular languages and platforms like Ruby, .NET, Java or Python?

See my answer for the next question.

If it isn't possible, what are the reasons? Is there perhaps a constraint on web browsers accessing the GPG keychain or SSH key file?

Processing SSH and OpenPGP keys in a web app is possible with third party libraries (especially C or Java libraries given their rich ecology), but you would be missing out on leveraging the most common existing solution - SSL/TLS.

The best bet would be for users to generate X509 client certificate signed by your server to authenticate themselves - because then your web app can simply rely on the web container (Catalina Tomcat, ApacheD, IIS, etc) to perform seamless encryption and authentication for your application.

Under the hood OpenPGP keys have the same RSA exponents as a X509 certificate, so tools such as openssl can convert GPG/PGP keys to self-signed* X509 certificates; same for SSH keys.

* OpenPGP web-of-trust qualifies as 'self-signed' from the X509 standpoint because X509v3 can't have a multiply-rooted trust chain as far I've been able to determine.

LateralFractal
  • 5,143
  • 18
  • 41
  • I know this answer seems to dismiss using GPG/SSH for web applications, but GPG/SSH for the web application is much less supported or tested than the main SSL/TLS stack. Better to solve the TLS Root CAs spy problem through a multi-sig X509 v4 standard than abandon it entirely. – LateralFractal Oct 17 '13 at 14:11
  • 1
    https://github.com/altitude/login-with-ssh is a proof of concept for SSH public key authentication that then generates a session token for you to use on a website. – Adam Baxter Jan 29 '16 at 14:50
4

The existing answers offer good advice - use the SSL stack in the browser instead.

However, it is actually possible to do exactly what you want - using JavaScript cryptography.

There is an OpenPGP implementation in JavaScript http://openpgpjs.org/ I can't vouch for it's quality.

Also, it is possible for HTML5 JavaScript to access local files, e.g. http://www.html5rocks.com/en/tutorials/file/dndfiles/

I think this would be more a curiosity than a practical system though.

paj28
  • 32,736
  • 8
  • 92
  • 130