Challenge / Response Authentication with TLS enabled WebSocket?

#1

Hi!

Since I am new to Autobahn but so super excited, this is my second post on a single day - but I hope no one does mind!?

In the last post I gave some details on my project in which I am using Autobahn WebSockets to connect multiple clients to a server. Since the application stays within Python on both client and server I am trying to figure out what is best in terms of authentication and came up with the following idea:

First of all the WebSocket accepts connections via SSL/TLS enabled server. With having the communication encrypted, I am feeling very comfortable with using Challenge / Response Authentication - over WebSocket in combination with a very short timeout mechanism. I have seen this kind of authentication in the Loxone Smart-Home system - but they aren’t using SSL/TLS encryption anymore. The whole process would look like the following:

  1. Client is successfully connecting to the WebSocket.
  2. Server is sending back a randomized and maybe encrypted random number.
  3. Client is sending Username / Password - or - Key / Secret within a given timeout.
  4. Server is evaluating the response and grants access.
  5. If client has not managed to response back within timeout, the connection will be closed.

I am not pretty sure if this is one way to go - and if this is a good idea at all. I know that this involves storing some information on the server / client in plain text - but I currently can’t think of a different authentication (especially when using WebSockets only and staying web-less in the python domain all the time).

So I am asking for some help / advices on this topic!

Best,

Simon

0 Likes

#2

Hi Simon,

you might have a look at WAMP-CRA (Challenge Response) - which works roughly like this (well, done right, as what you describe isn't sufficient). WAMP-CRA is one of the authentication mechanisms in WAMP.

Cheers,
/Tobias

···

Am 31.07.2016 um 21:20 schrieb Simon Kemper:

Hi!

Since I am new to Autobahn but so super excited, this is my second post on
a single day - but I hope no one does mind!?

In the last post I gave some details on my project in which I am using
Autobahn WebSockets to connect multiple clients to a server. Since the
application stays within Python on both client and server I am trying to
figure out what is best in terms of authentication and came up with the
following idea:

First of all the WebSocket accepts connections via SSL/TLS enabled server.
With having the communication encrypted, I am feeling very comfortable with
using Challenge / Response Authentication - over WebSocket in combination
with a very short timeout mechanism. I have seen this kind of
authentication in the Loxone Smart-Home system - but they aren't using
SSL/TLS encryption anymore. The whole process would look like the following:

   1. Client is successfully connecting to the WebSocket.
   2. Server is sending back a randomized and maybe encrypted random number.
   3. Client is sending Username / Password - or - Key / Secret within a
   given timeout.
   4. Server is evaluating the response and grants access.
   5. If client has not managed to response back within timeout, the
   connection will be closed.

I am not pretty sure if this is one way to go - and if this is a good idea
at all. I know that this involves storing some information on the server /
client in plain text - but I currently can't think of a different
authentication (especially when using WebSockets only and staying web-less
in the python domain all the time).

So I am asking for some help / advices on this topic!

Best,

Simon

0 Likes