Serhiy Kostyshyn's blog
Happy 2009 to everyone in the community!
I wish all of you love, peace and success, no matter the difficulties. May the next year be better and brighter than you could ever imagine. :)
Happy New Year!
One more patch aimed at improving usability of ATutor. It enables group deletion of test submissions by replacing radio buttons with checkboxes and adding a "Select/unselect all" checkbox.
Also it fixes minor bugs found in that area (I've noticed as much as seven of them).
The change has already been included into the trunk for the next release, 1.6.2, while this patch allows users to benefit from it right now.
See the patch here: http://atutor.no/contribs/group-deletion-test-submissions-plus-bugfixes
Recently we've seen some security-related features being added to ATutor. Here I suggest one more, encrypting the transmission client-side when a user or an admin changes his/her password.
This is an easy-to-debug draft implementation. One might want to see how the system works in detail, so I post this draft to avoid duplicating efforts.
To test it, you'll need to place it to a server where an ATutor is installed (I guess, any version since 1.5 would suffice). Then edit the path on the line that reads
define('AT_INCLUDE_PATH', '../atutor161pl1/include/');
The protocol:
Msg 1. S -> C: N
Msg 2. C -> S: { N, Pnew, MIC } Pold'
where
* h() means hashing;
* {}K means encryption under the key K;
* N is a nonce/token;
* Pold and Pnew are hashes of old and new passwords respectively;
* MIC = h(N, Pnew) is a Message Integrity Code.
JavaScript AES implementation is taken from http://www.hanewin.net/encrypt/aes/aes.htm .
There're much more comments and links in the source code, so you won't be lost.
If you test, please give me your feedback. I'm going to make it into real changes in ATutor code after I'm sure this implementation is the right way to go.
Update: The PHP file updated 2008-09-03 to fix a bug reported by Vegard. Also uncommented the piece that tries to mitigate weaknesses of ECB encryption mode (should go unnoticed by end users though).
