Established Javascript Solution For Secure Registration & Authentication Without Ssl

Is there any solution for secure user registration and authentication without SSL? With 'secure' I mean safe from passive eavesdropping, not from man-in-the-middle (I'm aware that

Solution 1:

For logging in you could try SRP from clipperz:

• I'm not sure how strong the random number generator they use is. You might want to try and use the Crypto API to get stronger values. I'm not sure how you can get secure seed values in javascript without using Crypto API.

For sending initial password to server you could use public key encryption. So the server sends the client its public key (ok under the no mitm assumption) and the client encrypts the whole registration request when registering. Cipperz has support for public key encryption but in a very raw form. Often you use public key encryption to encrypt a randomly generated symmetric key and use the symmetric key to encrypt the payload. You have to be quite careful with padding/etc to make public encryption properly secure. I don't know of any robust public key crypto libraries for javascript.

You may want to check out jsbn for public key encryption because it looks like it does padding correctly. Though, I suspect it suffers from insecure random number generation. It would be a good idea to use Crypto API or make the user bang the keyboard to generate some entropy. Snippet from rng.js

// For best results, put code like// <body onClick='rng_seed_time();' onKeyPress='rng_seed_time();'>// in your main HTML document.