Powerhouse Web Security

Peter Bateman peterbateman808 at hotmail.com
Fri Feb 15 14:22:26 CST 2008 

 
Here is somthing that I have done.
I haved created an encypted logon record structure
Each column  has its own encryption keys.The QUICK user has read permission to this structureand the QUICK user can update it if he knows thethe answer to the secret question.
The QUICK user can only update the password field and the set date.
This leaves creating an account for some other user.
The E_MAIL field was used as alternate key if the user forgot his user_name.
 The structure is Logon_Info   USER_NAME segment
   PASSWORD  segment
   E_MAIL    unique key
   SET_DATE    SECRET_QUESTION   SECRET_ANSWER  
On the first screen prompt for 
the user name and password and encryted the entered values.
Lookup on LOGON_INFO
PROCEDURE INTERNAL ENCRYPT_DATEBEGIN   T_DS = ASCII ( T_SET_DATE, 8 )    LET DECADE = DECADES[ (NCONV ( T_DS[3:1] ) + 1 ) : 1 ]    LET YEAR = YEARS [    (NCONV ( T_DS[4:1] ) + 1 ) : 1 ]   LET MONTH = MONTHS [  (NCONV ( T_DS[5:2] ) + 1 ) : 1 ]   LET DAY1  = DAY1S [   (NCONV ( T_DS[7:1] ) + 1 ) : 1 ]   LET DAY2  = DAY2S [   (NCONV ( T_DS[8:1] ) + 1 ) : 1 ]   LET T_DATE_STRING = YEAR + DECADE + DAY2 + MONTH + DAY1   LET T_DATE_STRING = ENCYPT ( ENCRYPT ( T_DATE_STRING, 'ZRWEFJBC') , 'TQHSTGCX')END
PROCEDURE INTERNAL DECRYPT_DATEBEGIN   LET T_DATE_STRING = DECYPT ( DECRYPT ( T_DATE_STRING, 'TQHSTGCX') , 'ZRWEFJBC')   LET DECADE = T_DATE_STRING[2:1]   LET YEAR   = T_DATE_STRING[1:1]   LET MONTH  = T_DATE_STRING[4:1]   LET DAY1   = T_DATE_STRING[5:1]   LET DAY2   = T_DATE_STRING[3:1]   LET T_SET_DATE = 20000000 + &                    ( INDEX ( DECADES, DECADE ) - 1 ) * 100000 + &                    ( INDEX ( YEARS, YEAR ) - 1 ) * 10000 + &                    ( INDEX ( MONTHS, MONTH ) - 1 ) * 100 + &                    ( INDEX ( DAY1S, DAY1 ) - 1 ) * 10 + &                    ( INDEX ( DAY2S, DAY2 ) - 1 ); There should be a valid date check here in case something went ; wrong. Also, the date should be less than SYSDATE.  END
PROCEDURE DESIGNER RSPASS help 'Reset password' nodataBEGIN  LET T_SECRET_QUESTION = decrypt secret question  DISPLAY T_SECRET_QUESTION  ACCEPT T_SECRET_ANSWER  T_SECRET_ANSWER2 = encrpyt T_SECRET_ANSWER  IF T_SECRET_ANSWER2 = SECRET_ANSWER OF LOGON_INFO  THEN BEGIN   ACCEPT T_PASS1   ACCEPT T_PASS2   IF T_PASS1 <> T_PASS2    THEN error "Passwords do not agree. "  LET PASSWORD of LOGON_INFO = ENCRYPT ( ENCRPYT( T_PASS1, 'YODGLZM' ), 'GHIKSNRW') )   LET T_SET_DATE = SYSDATE  DO INTERNAL ENCRPT_DATE  LET SET_DATE OF LOGON_INFO = T_DATE_STRING  PUT LOGON_INFO  COMMIT UPDATE  LOGON_OK = 'Y'  END  ELSE ERROR "The answer is incorrect."END ; RSPASS
PROCEDURE INTERNAL PROMPT_LOGINBEGIN  LET LOGIN_OK = 'N'  ACCEPT T_USERNAME  ACCEPT T_PASSWORD; encrpt username & passwordGET LOGON_INFO via username , password optionalIf NOT ACCESSOK    Then Begin         IF ATTEMPTS < TRY_LIMIT         INFO = "User name and/or password incorrect. Please try again"        LET ATTEMPTS = ATTEMPTS + 1        DO INTERNAL PROMPT_LOGON        END        ELSE BEGIN          LET T_SET_DATE  = DECRYPT_DATE ; decrypted SET_DATE of LOGON_INFO          IF EXP_DAYS_PASSWORD < DAYS ( SYSDATE ) - DAYS ( T_SET_DATE )            THEN BEGIN                 INFO = "Password has expired."                 PUSH RSPASS                 END            ELSE BEGIN                 LOGON_OK = 'Y'                 IF WARN_DAYS_PASSWORD < DAYS ( SYSDATE ) - DAYS ( T_SET_DATE )                 THEN INFO = 'Password will expire in ' + &                             ASCII ( ( EXP_DAYS_PASSWORD - &                                       DAYS ( SYSDATE ) +  &                                       DAYS ( T_SET_DATE ) ) + &                                       ' days. '
                 ELSE NULL                 END
           ENDEND; PROMPT_LOGIN
            
 
 
> Subject: Powerhouse Web Security> Date: Wed, 13 Feb 2008 12:48:52 -0800> From: Paul.M.Hodson at gov.bc.ca> To: powerh-l at lists.sowder.com> > We are looking at user authentication for our powerhouse web environment. We are currently using a table with ID's and Passwords but the management falls to IT. Would prefer that we use our clients as the point of contact and a more robust approach - more web like using question reminders and self-serve password resets.> > Any insight? Suggestion?> > Thanks,> Paul Hodson> > > > -- > = = = = = = = = = = = = = = = = = = = = = = = = = = = => Mailing list: powerh-l at lists.sowder.com> Subscribe: &quot;subscribe&quot; in message body to powerh-l-request at lists.sowder.com> Unsubscribe: &quot;unsubscribe &lt;password&gt;&quot; in message body to powerh-l-request at lists.sowder.com> http://lists.sowder.com/mailman/listinfo/powerh-l> This list is closed, thus to post to the list you must be a subscriber.> Add 'site:lists.sowder.com powerh-l' to your search terms to search the list archive at Google.
_________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sowder.com/pipermail/powerh-l/attachments/20080215/e0770d1c/attachment.html

More information about the powerh-l mailing list