Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

base/login/web-login-session-name.c@127:bd6dd135009d, 2019-07-31 (annotated)

Committer:
andrewboyson
Date:
Wed Jul 31 15:09:15 2019 +0000
Revision:
127:bd6dd135009d
Parent:
110:8ab752842d25 
Amalgamated Reply into Poll function

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 109:3e82f62c7e1f 1 #include "web-site-name.h"
andrewboyson 71:d6aacc7d62ab 2
andrewboyson 82:980a393ff4dc 3 #define SESSION_LIFE 10 * 365 * 24 * 60 * 60
andrewboyson 82:980a393ff4dc 4
andrewboyson 71:d6aacc7d62ab 5 //Do not use ' ', ';', '=' as they are part of the cookie protocol: name1=value1; name2=value2; name3=value3 etc
andrewboyson 71:d6aacc7d62ab 6 static char sessionName[9]; //Limit the name to 8 characters (plus terminating zero) to keep things quick
andrewboyson 71:d6aacc7d62ab 7
andrewboyson 103:91194cc19bbb 8 char* WebLoginSessionNameGet()
andrewboyson 71:d6aacc7d62ab 9 {
andrewboyson 71:d6aacc7d62ab 10 return sessionName;
andrewboyson 71:d6aacc7d62ab 11 }
andrewboyson 71:d6aacc7d62ab 12
andrewboyson 103:91194cc19bbb 13 void WebLoginSessionNameCreate()
andrewboyson 71:d6aacc7d62ab 14 {
andrewboyson 71:d6aacc7d62ab 15 //Make the session name from the site name - eg "Heating" and "GPS Clock" will be "heat_sid" and "gpsc_sid"
andrewboyson 71:d6aacc7d62ab 16 int i = 0;
andrewboyson 71:d6aacc7d62ab 17 int j = 0;
andrewboyson 71:d6aacc7d62ab 18 while (1)
andrewboyson 71:d6aacc7d62ab 19 {
andrewboyson 71:d6aacc7d62ab 20 if (i >= sizeof(sessionName) - 4 - 1) break; //Leave room for the "_sid" and the terminating NUL character
andrewboyson 109:3e82f62c7e1f 21 char c = WEB_SITE_NAME[j++];
andrewboyson 71:d6aacc7d62ab 22 if (!c) break; //Stop if run out of site name
andrewboyson 71:d6aacc7d62ab 23 if (c >= 'A' && c <= 'Z') c |= 0x20; //Make lower case
andrewboyson 71:d6aacc7d62ab 24 if (c < 'a' || c > 'z') continue; //Skip anything other than letters
andrewboyson 71:d6aacc7d62ab 25 sessionName[i++] = c; //Add the first characters of the site name for which there is room
andrewboyson 71:d6aacc7d62ab 26 }
andrewboyson 71:d6aacc7d62ab 27 for (int k = 0; k < 4; k++) //Add "_sid"
andrewboyson 71:d6aacc7d62ab 28 {
andrewboyson 71:d6aacc7d62ab 29 sessionName[i++] = "_sid"[k];
andrewboyson 71:d6aacc7d62ab 30 }
andrewboyson 71:d6aacc7d62ab 31 sessionName[i] = 0; //Add the terminating NUL character
andrewboyson 71:d6aacc7d62ab 32 }
andrewboyson 82:980a393ff4dc 33
andrewboyson 103:91194cc19bbb 34 int WebLoginSessionNameLife()
andrewboyson 82:980a393ff4dc 35 {
andrewboyson 82:980a393ff4dc 36 return SESSION_LIFE;
andrewboyson 82:980a393ff4dc 37 }