Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

base/login/web-login-html.c@127:bd6dd135009d, 2019-07-31 (annotated)

Committer:
andrewboyson
Date:
Wed Jul 31 15:09:15 2019 +0000
Revision:
127:bd6dd135009d
Parent:
110:8ab752842d25 
Amalgamated Reply into Poll function

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 110:8ab752842d25 1 #include "http.h"
andrewboyson 110:8ab752842d25 2 #include "web-add.h"
andrewboyson 110:8ab752842d25 3 #include "web-login.h"
andrewboyson 110:8ab752842d25 4 #include "web-pages-base.h"
andrewboyson 110:8ab752842d25 5
andrewboyson 110:8ab752842d25 6 void WebLoginHtml()
andrewboyson 110:8ab752842d25 7 {
andrewboyson 110:8ab752842d25 8 HttpOk("text/html; charset=UTF-8", "no-cache", NULL, NULL);
andrewboyson 110:8ab752842d25 9 WebAddHeader("Login", NULL, NULL);
andrewboyson 110:8ab752842d25 10 HttpAddText(
andrewboyson 110:8ab752842d25 11 "<style>"
andrewboyson 110:8ab752842d25 12 #include "web-login-css.inc"
andrewboyson 110:8ab752842d25 13 "</style>"
andrewboyson 110:8ab752842d25 14 );
andrewboyson 110:8ab752842d25 15 WebAddH1("Login");
andrewboyson 110:8ab752842d25 16 if (WebLoginPasswordIsSet())
andrewboyson 110:8ab752842d25 17 {
andrewboyson 110:8ab752842d25 18 WebAddH2("Welcome - please enter the password");
andrewboyson 110:8ab752842d25 19 }
andrewboyson 110:8ab752842d25 20 else
andrewboyson 110:8ab752842d25 21 {
andrewboyson 110:8ab752842d25 22 WebAddH2("Please enter a new password following user reset");
andrewboyson 110:8ab752842d25 23 HttpAddText("<p>Be careful to make it the one people expect!</p>");
andrewboyson 110:8ab752842d25 24 }
andrewboyson 110:8ab752842d25 25
andrewboyson 110:8ab752842d25 26 HttpAddText("<form action='/login' method='get' autocomplete='off'>\r\n");
andrewboyson 110:8ab752842d25 27 HttpAddText(" <div style='width:8em; display:inline-block;'>Password</div>\r\n");
andrewboyson 110:8ab752842d25 28 HttpAddF (" <input type='hidden' name='todo' value='%d'>\r\n", WebLoginOriginalToDo);
andrewboyson 110:8ab752842d25 29 HttpAddText(" <input type='text' name='password' value='' autofocus>\r\n");
andrewboyson 110:8ab752842d25 30 HttpAddText(" <input type='submit' value='' >\r\n");
andrewboyson 110:8ab752842d25 31 HttpAddF ("</form>\r\n");
andrewboyson 110:8ab752842d25 32
andrewboyson 110:8ab752842d25 33 WebAddEnd();
andrewboyson 110:8ab752842d25 34 }
andrewboyson 110:8ab752842d25 35
andrewboyson 110:8ab752842d25 36 /*
andrewboyson 110:8ab752842d25 37 Device sends request for resource to server
andrewboyson 110:8ab752842d25 38 Server cannot validate the session cookie (or there isn't one) so sends login form with original resource number as a hidden input
andrewboyson 110:8ab752842d25 39 Device does a GET for /login with query containing password and original resource
andrewboyson 110:8ab752842d25 40 Server validates password and sends original resource with a valid session cookie.
andrewboyson 110:8ab752842d25 41 */