Recent Posts

Okay, I did some more digging around, and I think I found the problem.

The issue is because in a recent change of FireGPG, when the default preferences are loaded, they inverted from the values gpgAuth is expecting.

It should be fixed in the next release of FireGPG - in the meantime, for FireGPG version 0.7.10, you can fix the problem by performing the following steps:

Windows XP:

Click on Start -> All Programs -> Accessories -> WordPad
(Use WordPad, not Notepad, as notepad will not read the file correctly)

Then click File -> Open, and navigate to C:\Documents and Settings, Your user account, Application Data\Mozilla\Profiles, Your profile (usually RANDOM_STRING.default), extensions\firegpg@firegpg.team\defaults\preferences, and there should be a file called "firegpg.js", click on it and click "Open",

Find the line that says:

Code:

pref("extensions.firegpg.gpgauth.global.enable_gpgauth", true);

and change word "true" at the end to say "false", so it looks like this:

Code:

pref("extensions.firegpg.gpgauth.global.enable_gpgauth", false);

Then save the file and restart FireFox, and all should be working now..

For Linux (Ubuntu and most others):

Navigate to ~/mozilla/firefox/profiles/, select your profile, extensions/firegpg@firegpg.team/defaults/preferences, open in your favorite editor and modify the same line as described above.  OR - I have attached a bash script which will do the same as that for all profiles for your user.

Just download the bash script, execute it, and restart firefox. (You really should review the contents of the script first, for security reasons, but also to verify it, I wrote it quickly and it might not be perfect)

So, do you have gpgAuth enabled in the FireGPG options?

If so, can you go to the gpgAuth section in the FireGPG options and click on "Enable the gpgAUth statusbar icon" option, and also enable "Auto-show the status window when using gpgAuth", then try again, you should see some useful information in the status window; attached is a screen-shot example of the status window.

Are you getting any data in the status window (other than gpgAuth initialized)?

Kyle

I'm having the same issue, using Firefox portable on WindowsXP,version 3.0.10,fireGPG 0.7.10

Having absolutely no change in the page when hitting the login button, will attach the public key provided and my own public key as this may give some information on the issue.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (MingW32)

mQGiBEo39TwRBADFqL3mkBwR0bblg8EgBEv1mnKJEyjiXMdWv2xMtLjcpP/QeQ7l
4ICAjwxPjAUtzrtPLkoVnpLtX/1NKx+TcpK0y4Z9x56Jd1W2DCu0gZhWz1MoiFQX
fQl1Acav4cQI+QOWbRRm2LIjUrEIn3FHc9mT1Onsf/pevZxduIVG1JDJTwCg2Vc6
SkdAjl9j3eRJk0Y788VsckcEALNBDcZfPa2ovD320bxtD6NlsDl6LKBHbiqgrMv4
jX7eIHXViTsntrDAo7kZpPfRfXIQMJzoFNhrljV7tDICRQHOdqftoet902lvDeWs
S8LUTb8quXSs0fKwNti2QzXSkmxz6dE3F7B+l+aYN/wYD8qd+w8R07lOK5e2EKTC
GC52A/9PajCcb+y5Kl/KRb5mZ9e0XQm8CPEX2AKtwD5vPVyFif/k0oXls0hXyPgK
aZNwPR3fZMnS/1cbEhmaKmqOKV1YvHMlzNTV7jtVf7B1RD0sPFj4CzIl56lHjRhb
HVCYMHQ7VAxxghMSaBZCRf99gVTy3jNTJWol4x7ElJDaK5in4rQvdGVzdGtleTEy
MyAobm9jb21tZW50KSA8dGVzdGtleTEyM0BncGdhdXRoLmNvbT6IZgQTEQIAJgUC
Sjf1PAIbAwUJAAfpAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEKQg9cQ2m4lr
sPUAn1x6x2pKGPLcMXPVUZ3+ySiKAgTwAJ9n+g/M8j50Iit4vKxdKIZUIXbh6bkC
DQRKN/VvEAgAjR74TGfi3tsQvoLKejHv/Xhw8hJyvxkOKMld8PTfyFlgls0ww5Zm
sW5SEBkwuY2eKHG5njL9T195Rjoc09LBzHg2bE5QOYalnsJsh8GUCnIw6KL2+j63
VY9+khpNdRWKRXd3c3j1V3f2oT8Zp4mTuMnfyl5C89HQtMhwoElhSqymMPVS6M5B
wvOrGWhbCtXO6q2YJreZf3i5YdWohIfP60lMChcI6EPCivu3ZhU8zmYqkrpMSwAE
6XaGsNVRYt2hw7gkI+G26/kXEYpPFJq5i11scUr8yW8UeGqSWyWLYD3ZqhbWFB8T
Yz9/8SBgH7oClZfCT+/yX50WUWPu0SuEawADBQgAioVKB4SKYA1K5oOH1kBLAZJI
iT0Cs+jRir98+xi0lKBIf66VRCNsoq3SA3Edv1xSv6thED4Mvem9Cuq3nJmem3bF
xksPfIPvXXy3cAW+0SmFtC6T+zwO/NPmYs8M4EVK7O4fjR9qkDRvbe92N8ATO5fR
THzZwRZnvKE/FLBtqzoQyBMnQY6IOBLoLQlPqvB3Fy7tCeBme5BCs5RHGZdJl41m
nQ+mv2a1tkeGd1WY665BwhORJSpTW0Jtr8Lx9Vz1H9ufZvbGTBjLAafZXWuZRkRI
Dc13pRtan8EBEmdvdPg5sXsuvnnJMADN130dRUQ9yjeafLHSWAAa9BN30FOORohP
BBgRAgAPBQJKN/VvAhsMBQkAB+kAAAoJEKQg9cQ2m4lrFowAnRSV4OQni2DM1Tud
gnXilZxsisd+AKCnmjMsKefrcgPgJh9AGTle5GQIuQ==
=K+++
-----END PGP PUBLIC KEY BLOCK-----



My public key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (MingW32)

mQGiBEt0LlIRBACkBIK4JScUWf6GVOvP/1NywHVMFkkBw0/+nXhfmFMf0ooo48/5
z8suTNWKp51WP/XDXPQ1YmAwTDmXaJ7SLSfRoZCP1yDh3isqwT8rGSO3QnN3zF3R
tzM2K6L9yUFXEpCXH3FqXBx7Ts/9NT7barHKxSpjwUvJobz5b0c7AGKxfwCg3pk1
wreWUIOKaZXZRWAqGxsIJPED/0k+H3E1pL6JLj69IiLu8MNxvPoIYGA9St6pDESG
RwFnlUU1Bojpxeo6U1NDjG6yOH2mbZVW34oC14mGJfjeCZ4sznalehv5pMy0TYq8
pSAz2KnMFZgLvZee5jhKKHA2U7Y5Q75q2TbRUjQq4aw3mXHz7kKhoUfbL6crrznv
O6tuBACGbzdpsBdWqd63t0SO6r3cSyD496qB7iNNi4AXyqjQi8UD+dMZcIr7SWAl
37gMoy+Yvr1UrEcXNkngdPoXbgU/mF/iTj0UBRb5G10p3NdMsgsqAKHitZrfy99i
ZR0k3uXTcJjsKZjJFh5t6qXci7VAis7xEEFfQo+T/jc85gQ21rQoSmFtZXMgTWND
YXJ0aHkgPG1jY2FydGh5amFtZXNAZ21haWwuY29tPohmBBMRAgAmBQJLdC5SAhsj
BQkDwmcABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQSvoUBau9OdmFbACcDvSL
mOyJZ+OPZixxpy+jWFv3HpoAn0almp+ulZE6KrQjjqxFL9556ISJuQINBEt0LlIQ
CADHmCoBRRldvBy2IpCeRW9N1F1dHIdKSh7mFD/9eH8zRc9Sd147diuy91POj04c
iZfMwJzVH/oVrc984fBvX2bhXqyATxKMzZUY6n7V7kYhBMhCadgnXnNWOMkAezRo
fWPDDs4j5FWQL84UU9onuhUwur2gguA8y/68kbm49XkoTpgVxJihQUtg6ZWVRIeO
OGd4Z23lI2xYfjcQWdv2bPWj1wQuTdTGhkloVheMhm4O3hVQMZgBCM9RM00XrcFw
0F16lxc+qxi6GaS/D39rRiOmKtwnTtIpPvgxqL73eKA1e+r+q3BZoZO+5cKAvKct
HDCpTBOLNxIl7fW53zb/21tXAAMFCAC+e3omf4idiaCPO8NzhYGhhYOFK0ISDZ68
0Yh3gXi6b+N9yrG7SUmkV/wIjipHGlVvDxD9YD28o7ORjtoW2F6nCvhdpNdChF3A
aPkZthcAxpHPazDJ5WKNQhkq48YV6b7VEc3FgsGGolr6ormPegyqJlr6GliBmhg4
Xq6fQ4FtJD6c/BzTQwAsuhfmq3yZOM+EGlJgp6JaeCoA1LxXCQBkPcZmPjqdUwC2
Am6zmFpWAKjs7KjTB3k1c0L7Lag2MvIPVNiX47hDtuL1CnQVAyHrjjXY8bbY//C4
17t2ha03dUWavG7ExsM6f95ud7tSjExVJOpF+6KuCByMHNNMd66AiE8EGBECAA8F
Akt0LlICGwwFCQPCZwAACgkQSvoUBau9Odks/ACgknc1GNUFiHnIoFodMSs+T5QF
SJgAoNwHgJCQyGjDAaD1fy+HeBHaJOT8
=PcOD
-----END PGP PUBLIC KEY BLOCK-----

It should do "something" - do you have the FireGPG extension? if so, is gpgAuth enabled in the FireGPG options?

If it is enabled in FireGPG, in the right-hand corner of firefox should be the gpgAuth logo - if you click on it, it will display the gpgAuth log - this might help identify what the problem is.

Also, I noticed the server encryption subkey was expired. I have updated the expiration, and the updated public key will need to be re-imported, you can get the updated public key by going to http://gpgauth.org/#signup , selecting the key in the textbox labeled "Our Public Key" and choosing "Import" from the FireGPG menu (right-click the selected text).

Kyle

Hello,

I registered to try out the gpgAuth login, and it seems to do nothing on submit.... using Ubuntu 9.04.

Richard

This method uses the django.contrib.auth authenticate and login functions, but this can be changed to a custom authentication backend. I am working on a django authentication backend for gpgAuth, it is not finished yet.

Requirements:
    (These requirements and this Django implementation is based Linux and Apache, but the Django code should be the same for any platform Django supports)
    Apache
    Python
    Django
    GnuPG
    python module gnupginterface

Setup:

If you are using the django.contrib.auth module for your user objects, it will need to be extended to provide a place to store the users public key fingerprint and the value of the authentication token.

To extend the user object, add this line to your settings.py file for your project:

Code:

AUTH_PROFILE_MODULE = 'userprofile.UserProfile'

Then create the app:

Code:

python manage.py startapp userprofile

This will create the blank views.py and models.py. Edit the models.py file to include:

Code:

from django.db import models
from django.contrib.auth.models import User

class UserProfile(models.Model):
user = models.ForeignKey(User, unique=True)
fingerprint = models.TextField(null=True,blank=True)
gpgauth_token = models.TextField(null=True,blank=True)

class Meta:
verbose_name = ('User Profile')
verbose_name_plural = ('User Profiles')

def __str__( self ):
return "%s - Profile Object" % ( self.user.username )

If you want these objects to be accessible within the built-in django admin site, create an admin.py file in the 'userprofile' app directory and add the following lines:

Code:

from example.userprofile.models import UserProfile
from django.contrib import admin

admin.site.register(UserProfile)

Make sure the following is part of your INSTALLED_APPS context in your settings.py file:

Code:

INSTALLED_APPS = (
    'django.contrib.auth',
),

Add these lines to your settings.py file (or change them if they already exist) - this will override where users are pointed when told to login using the @login_require decorator):

Code:

LOGIN_URL = '/login'
LOGOUT_URL = '/logout'

Now edit or create the URLs for the project by adding these lines to the urls.py file (the admin line is optional, this just creates the URLs for the built-in django admin site.):

Code:

urlpatterns = patterns('',
    (r'^admin/(.*)', admin.site.root),
    (r'^login/$', 'example.views.login_view'),
    (r'^login/(?P<stage>\d+)', 'example.views.login_view'),
    (r'^logout/$', 'example.views.logout_view'),
)

Now, within the views.py file of your main project, add the following views:

Code:

from django.shortcuts import render_to_response
from django.template import RequestContext
from django.http import HttpResponseRedirect
from django.contrib.auth.decorators import login_required
from django.contrib.auth import authenticate, login, logout
from example.gpgauth import gpgauthBackend
from django.contrib.auth.models import User
from cgi import parse_qs


def login_view(request, stage=u'1'):
if stage == u'1':
try:
user = request.user
if user.is_authenticated:
logout(request)
except:
pass
return render_to_response('login.html', { 'stage1' : True }, context_instance=RequestContext(request))
if stage == u'2':
try:
    user = User.objects.get(username=request.POST['username'])
except User.DoesNotExist:
user = None
if request.POST['username'] and user:
if request.POST['password']:
''' Perform legacy authentication '''
user = None
user = authenticate(username=request.POST['username'], password=request.POST['password'])
if user is not None:
if user.is_active:
''' User is authenticated, call the login function '''
login(request, user)
return render_to_response('login.html', { 'stage3' : True, 'auth_method':'password', 'error' : None }, context_instance=RequestContext(request))
else:
''' Account is not active '''
return render_to_response('login.html', { 'stage1' : True, 'auth_method':'password', 'error' : True, 'error_message' : 'account disabled' }, context_instance=RequestContext(request))
else:
''' Username or password were incorrect '''
return render_to_response('login.html', { 'stage1' : True, 'auth_method':'password', 'error' :  True, 'error_message' : 'invalid login' }, context_instance=RequestContext(request))
elif request.POST.has_key('gpg_auth:server_token') and len(request.POST['gpg_auth:server_token']) and user.userprofile_set.values() and user.userprofile_set.values()[0].has_key('fingerprint'):
''' Perform gpg authentication '''
server_token = parse_qs( request.raw_post_data )['gpg_auth:server_token'][0]
result = gpgauthBackend().authenticate( username=request.POST['username'], password=request.POST['password'], server_token=server_token )
request.session['auth_user'] = request.POST['username']
return render_to_response('login.html', { 'stage2' : True, 'decrypted_server_token' : result['decrypted_server_token'], 'encrypted_user_token' : result['encrypted_user_token'], 'auth_user':result['user'], 'error' : result['error'], 'error_message' : result['error_message'] }, context_instance=RequestContext(request))
else:
''' An error has occurred '''
if not user.userprofile_set.values() or not user.userprofile_set.values()[0].has_key('fingerprint'):
error = "This account is not configured for gpgAuth login"
if not request.POST.has_key('gpg_auth:server_token') or not len(request.POST['gpg_auth:server_token']):
error = "No token provided by the client."
return render_to_response('login.html', { 'stage1' : True, 'error' : True, 'error_message' : error }, context_instance=RequestContext(request))
else:
''' Invalid username or password '''
return render_to_response('login.html', { 'stage1' : True, 'error' : True, 'error_message' : 'Invalid username or password' }, context_instance=RequestContext(request))

if stage == u'3':
error = None
error_message = None
username = request.session.get( "auth_user" )
try:
user = User.objects.get(username=username)
if user.userprofile_set.values() and user.userprofile_set.values()[0].has_key('gpgauth_token'):
user_token = user.get_profile().gpgauth_token
if user_token == request.POST['user_response_token']:
''' the tokens match, lets login.. '''
user.backend = 'example.gpgauth.gpgauthBackend'
user.get_profile().gpgauth_token = None
user.get_profile().save()
login(request, user)
else:
user_token = "No token provided"
error = True
error_message = user_token
except User.DoesNotExist:
user = None
error = True
error_message = "invalid user"
return render_to_response('login.html', { 'stage3' : True, 'auth_method':'gpgAuth', 'user_token' : user_token, 'user_response_token' : request.POST['user_response_token'], 'error' : error, 'error_message' : error_message }, context_instance=RequestContext(request))

def logout_view(request):
logout(request)
return render_to_response( 'login.html', { 'stage1' : True }, context_instance=RequestContext(request) )

And finally, create a gpgauth.py file in the root of your project and add the following code to the file (NOTE: the string should be random data consisting of a-Z and 0-9 (alphanumeric) of any length. The example crypto_token is static, it never changes, it is only an example....)

Code:

from django.conf import settings
from django.contrib.auth.models import User
from django.contrib.auth import authenticate as legacy_authenticate
import GnuPGInterface

class gpgauthBackend:
"""
Authenticate using GnuPG/PGP via the gpgauth protocol (see http://www.gpgauth.org).
Django gpgAuth integration module v0.1
go to http://www.gpgauth.org for the latest version.
"""
def authenticate(self, username=None, password=None, server_token=None, user_token=None):
gnupg = self.MyGnuPG()
global gnupg
auth_user = None
decrypted_server_token = None
encrypted_user_token = None
user = User.objects.get(username=username)
if user.userprofile_set.values() and user.userprofile_set.values()[0].has_key('fingerprint') and user.get_profile().fingerprint and server_token:
user_fp = user.get_profile().fingerprint
user.get_profile().gpgauth_token = None
user.get_profile().save()
decrypted_server_token = gnupg.decrypt_string( server_token )
crypto_token = "qkEbiHSLzHfWHNvnKgPWMPdDrKxbczfjyFcGTtZCDKq"
user_token = "gpgauthv1.2.1|%s|%s|gpgauthv1.2.1" % ( len(crypto_token), crypto_token )
encrypted_user_token = gnupg.encrypt_and_sign_string( user_token, [user_fp.replace(" ", "" )] )
user.get_profile().gpgauth_token = user_token
user.get_profile().save()
auth_method = "gpgAuth"
return { 'auth_method' : auth_method, 'user' : user, 'decrypted_server_token' : decrypted_server_token, 'encrypted_user_token' : encrypted_user_token, 'error' : None, 'error_message' : None }
else:
return { 'auth_method' : 'gpgAuth', 'user' : user, 'error' :  True, 'error_message' : 'no authentication key on file for user', 'encrypted_user_token' : encrypted_user_token, 'decrypted_server_token' : decrypted_server_token }


def get_user(self, user_id):
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None

class MyGnuPG(GnuPGInterface.GnuPG):
def __init__(self):
gnupg = GnuPGInterface.GnuPG.__init__(self)
self.setup_my_options()

def setup_my_options(self):
self.options.armor = 1
self.options.meta_interactive = 0
self.options.extra_args.append('--no-secmem-warning')
self.options.default_key = 'example.com'
self.options.homedir = '/var/www/example.com/.gnupg'

def decrypt_string( self, string ):
gnupg.passphrase = ''
proc = gnupg.run( ['--decrypt', '-a'], create_fhs=['stdin', 'stdout','stderr'] )
proc.handles['stdin'].write(str(string))
proc.handles['stdin'].close()
output = proc.handles['stdout'].read()
proc.handles['stdout'].close()
error = proc.handles['stderr'].read()
error = proc.handles['stderr'].close()
proc.wait()
return output

def encrypt_and_sign_string(self, string, recipients):
gnupg.options.recipients = recipients   # a list!
proc = gnupg.run(['--sign', '--encrypt'], create_fhs=['stdin', 'stdout'])
proc.handles['stdin'].write(string)
proc.handles['stdin'].close()
output = proc.handles['stdout'].read()
proc.handles['stdout'].close()
proc.wait()
return output

def get_user(self, user_id):
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None

Now, once you have added the users fingerprint to the database, and imported the users public_key into the GnuPG Keystore, that user should be able to login using gpgAuth, or the legacy password authentication, to disable the password method, just provide call the set_unusable_password on the given user object, and then call user_object.save(), then only gpgAuth login will work for the given user.

Requirements:
    (These requirements and this PHP implementation is based Linux and Apache, but the PHP code should be the same)
    Apache
    PHP
    PHP PECL gnupg package

To install the gnupg package in debian:

Code:

apt-get install php5-dev php-pear libgpgme11-dev libgpgme11

Then

Code:

pecl install gnupg

Then you must add the following to your php.ini file:

Code:

extension=gnupg.so

Once that is finished, you will need to create a GnuPG keystore accessible to your apache user (usually, www-data). (/var/www/.gnupg for example.). This is where the public keys for your users will be stored, and if you use symmetric gpgAuth, your servers private key. If you do not want to provide symmetric gpgAuth, you can skip the key-gen part. The easy way to do this is become the apache user, in my case 'www-data', and then create a key, like so:
su into the root user:

Code:

sudo su

then su into the user your web sever runs under (in my case, www-data):

Code:

su www-data

Then, as the web server user, create a key with:

Code:

gpg --gen-key

Answer the questions, and when it asks for your Real Name, enter the domain name you will be using this key for. This will become your server key, the key that users will encrypt tokens to.

Here is the PHP Code:

Code:

<?php
?>
<HTML>
<HEAD>
<TITLE>gpgAuth PHP example login form - Stage: <?php echo $_REQUEST['stage']; ?></TITLE>
<script type="text/javascript">
function emit_event() {
// This even evokes the gpgAuth client to process the tokens for the client
if ("createEvent" in document)
{
var ev = document.createEvent("Events");
ev.initEvent("gpg_auth:login", true, false);
document.dispatchEvent(ev);
}
}
</script>
</HEAD>
<BODY>
<?

if ($_REQUEST['stage'] == "" || $_REQUEST['stage'] == "1") {
?>
<form id="gpg_auth:login_form" method="post" action="javascript: emit_event();document.forms[0].action='?stage=2';document.forms[0].submit();">
<span>Enter your user ID: </span><input id="gpg_auth:username" name="username" width="10" size="10" autocomplete="off" action="alert('123');"/>
<input type="button" value="Submit" onClick="emit_event(); submit()"/>
<input type="text" id="gpg_auth:version" value="v1.2.2" style="display:none;"/>
<input type="text" id="gpg_auth:server_token" name="gpg_auth:server_token" value="" style="display:none;"/>
</form>
<?php
} elseif ($_REQUEST['stage'] == '2') {
putenv('GNUPGHOME=/var/www/example.com/.gnupg');

// create new GnuPG object
$gpg = new gnupg();

// throw exception if error occurs
$gpg->seterrormode(gnupg::ERROR_EXCEPTION); 

$recipient = "cti.localhost";

$ciphertext = $_POST['gpg_auth:server_token'];

try {
  $gpg->adddecryptkey($recipient, '');
  $plaintext = $gpg->decrypt($ciphertext);
  $server_response = $plaintext;
  echo '<pre>' . $plaintext . '</pre>';
} catch (Exception $e) {
  die('ERROR: ' . $e->getMessage());
}


// recipient's email address
$recipient = $_POST['username'];

// plaintext token
// THIS SHOULD BE RANDOM DATA!! The random data can be of any length, using characters a-Z and 0-9
$plaintext = "abcdefghiABCDEFGHI12345679";
// Place the plantext token in the gpgAuth wrapper
$gpgAuth_token = "gpgauthv1.2.1|" . strlen($plaintext) . "|" . $plaintext . "|gpgauthv1.2.1";

// Encrypt the token
try {
  $gpg->addencryptkey($recipient);
  $gpg->addsignkey('example.com', '');
  $ciphertext = $gpg->encryptsign($gpgAuth_token);
  echo '<pre>' . $ciphertext . '</pre>';
} catch (Exception $e) {
  die('ERROR: ' . $e->getMessage());
}
?>
<div id="gpg_auth:server_response_token" version="1.2.1"><? echo $server_response; ?></div>
<form id="gpg_auth:form" method="POST" action="?stage=3">
<textarea name="user_response_token" cols="65" rows="10" id="gpg_auth:user_token"><? echo $ciphertext; ?></textarea>
</form>
<script type="text/javascript">
emit_event();
</script>
<?
} elseif ($_REQUEST['stage'] == '3') {
//Verify the token returned by the user against the instance of the token stored in the database
?>
We sent this token to the client: gpgauthv1.2.1|13|123456abcdefg|gpgauthv1.2.1<br/>
This is what we received back: <? echo $_POST['user_response_token']; ?><br/>
If they match, the user was successful in decrypting the token - and should be permitted to proceed.
<?
} else {
echo "Unkown error";
}
?>
</BODY>
</HTML>

I think your implementation does address the concern of "it is too hard for the users", which is exciting because it shows that something like this is possible. 

But by not having a clear, publicly-reviewed specification for what's going on at the cryptographic layer, you've left open questions about exactly how secure this "easy for users" system is.  Since i assume your goals are similar to mine (i suspect we both want to hit the intersection of cryptographically-secure and user-friendly), that's the place where i'm pushing you.  Had you written a cryptographically-rigorous spec, but left major gaps in the user-friendliness, i'd probably be pushing you about the UI.  No good deed goes unpunished!

I look forward to reading a specification.  I'd be happy to read drafts as well, if you like.

Ha! Honestly - the extension part was easy for me - that is the type of thing I enjoy working on, especially when it is regarding something that I think is useful. As for the protocol specification, ugh.. I like that type of stuff about as much as I like filing my taxes.. But, it does need to be done. And now that I am in communication with someone who sounds familiar with the process and is offering to review the material (read: YOU), I am running out of excuses...

I will be sure to get something to you as soon as I can.

Having it included in the extension I was in hopes that it would remove the excuse of "it is too hard for the users" to implement GPG based web authentication. But alas, it sounds like I need to write a protocol reference.. =c )

I think your implementation does address the concern of "it is too hard for the users", which is exciting because it shows that something like this is possible. 

But by not having a clear, publicly-reviewed specification for what's going on at the cryptographic layer, you've left open questions about exactly how secure this "easy for users" system is.  Since i assume your goals are similar to mine (i suspect we both want to hit the intersection of cryptographically-secure and user-friendly), that's the place where i'm pushing you.  Had you written a cryptographically-rigorous spec, but left major gaps in the user-friendliness, i'd probably be pushing you about the UI.  No good deed goes unpunished!

I look forward to reading a specification.  I'd be happy to read drafts as well, if you like.

The gpgAuth implementation that is included in FireGPG will only return a decrypted token if the data contains a certain predefined string

If the preamble and postamble is intended to avoid the attacks described against encrypted data, it should probably be an explicit requirement in the protocol, not just an implementation choice made by the first client.  Requiring that the nonce be signed by the server as well might be an additional protection against this attack.

I agree; it should be a requirement of the protocol specification for public use. And you are right, if the token was signed by the server this would not be much of an issue - however the check is in place for cases where you don't care about the signature but you still don't want to be tricked into decrypting something that has been encrypted to your public key that may be sensitive. For example - I have used this mechanism to authenticate into protected areas of an intranet - a controlled environment where I am reasonably assured that the server I am communicating with is trustworthy - and I don't want to worry about having up-to-date versions of those controlled servers public key, or managing the UIDs of those server keys  (These are servers isolated from the internet and controlled by myself or a limited number of trustworthy individuals.).

So the server needs to encrypt the user token AND SIGN IT.

I think you meant this the other way around, right?  It seems important to me that the signature over the nonce should itself be wrapped by the encryption, rather than signing the encrypted nonce.   Otherwise, a machine performing a proxying/relaying attack (Y) could strip the signature made by the victim server (Z) and re-sign the encrypted nonce before passing it off the user (X).  You probably already understand this, but i wanted to make it explicit.

Yes, I should have been more clear - I mean the encrypted data should contain a valid signature of the server key associated with the domain. A wrapped signature would be mostly useless.

Currently, this a trust issue. If you do not trust the server, why are you using it?

I think this question confuses multiple ideas of trust, and is basically a non-starter for any discussion of secure network communication.  A user might reasonably connect and authenticate to a known server, and trust it to provide certain information, but not trust it to behave responsibly in any other context.

For example, consider a researcher A hired to do a security audit of company B's infrastructure.  In order to know what systems in particular are under contract for auditing, A needs to authenticate herself to B's web server to receive her instructions. But she hasn't begun the audit yet, so she cannot know how this web server is set up, or what it is capable of doing or doing wrong.  Researcher A should be able to prove her identity to the server without allowing that server to masquerade as her to any other entity on the network, and without risking disclosure of the contents of any other unrelated secure communications.

I was being facetious regarding trusting every server you log into  =c )
If we could safely assume any decent level of trust for un-established or even established servers out on the internet - I would not be spending any time on this..

I agree, it is difficult to read in the current presentation. I will see what I can do. However, I just want to point out - the gpgAuth module is not really a part of gpgAuth - gpgAuth is simply a way for a webserver to validate users using gpg.. the gpgAuth module in FireGPG is simply a tool to provide the user with an easy way to transfer the tokens back and forth - and do some security checks. Having said that - the gpgAuth module of FireGPG does need to be documented here, both the source and the process. Again, I will work on this..

I probably didn't make this clear: while i'm interested in documentation of the FireGPG module that implements gpgauth, i'm *more* interested in documentation of the gpgauth protocol itself.  In order to get a clear cryptographic understanding of the protocol, it would be really helpful to have a document describing the protocol that has something approximating the following properties:

 * a clear version number and date of last modification
 * is all in one static HTML or text file -- no dynamically-loaded content
 * has explicit section and subsection numbers, so that pieces of the protocol can be clearly referenced.

If the intent is to make this protocol something useful to the general public (as appears to be the goal with its inclusion with FireGPG), then the protocol spec should probably also be proposed to other interested users and implementors.  Once you have a draft of a referenceable document, I recommend joining the IETF OpenPGP working group mailing list: http://www.imc.org/ietf-openpgp/ and pointing other members of the WG to the draft so there can be a wider community review.

I agree with this; I think I should make it clear that designing a protocol was not my original intent. When thinking about the problems plagued with the traditional authentication used on the public internet (and most everywhere else too), I was totally disgusted. I started thinking about how GPG/PGP could resolve a lot of the issues - but it was really complicated passing data back and forth, encrypting, signing, decrypting, verifying, etc.. So I started playing with a firefox extension and some really simple (python-based) server side scripting.. and it worked.. with the right tools it was no longer cumbersome.

The intent was originally just to prove it could be accomplished with minimal effort - and it could be done as drop in authentication system on the server-side - by 'drop-in' I mean limited or no changes to the server and basically webserver technology agnostic. It seemed to me like the holy grail for authenticating users to websites. Easier for users - easier for providers, and was a starting point to develop a mechanism to verify the identity of the server without paying for expensive signed certificates.

Anyway, I guess I imagined people jumping on board to help make it usable - to develop it into something standardized and official - which is why I asked the FireGPG guys to include the client into their extension, an extension which is directly GPG related, and an extension I and many other people use daily. Having it included in the extension I was in hopes that it would remove the excuse of "it is too hard for the users" to implement GPG based web authentication. But alas, it sounds like I need to write a protocol reference.. =c )

I have no idea how to do so.. but I have reviewed enough of them and that is the same thing, right? =c )  (yes, I am again being facetious..)

I will see what can work up regarding a specification.

Thanks for all of your input in this.

Kyle