* Thus wrote John W. Holmes ([EMAIL PROTECTED]):
> Curt Zirzow wrote:
>
> >On and advanced note, there are ways to protect a users password on a
> >normal http connection. The authentication program I helped
> >developed and use has the abilty to make a hash of the password on
> >the client side then send the hash value to the authentication
> >script. The authenication script never sees the password just
> >verifies the hash.
>
> So, I can't sniff the password, but I can sniff the hash and then send
> the same one when I want access. This doesn't protect much until the
> user changes their password and I have to get their new hash.
The method isn't fool proof. There other things the authentication
checks for when building the hash.
User Requests login form:
1. when the user requests the login page the auth program generates a
key which is something like md5(rand()).
2. stores that key in session variable for the next request.
User Submits form:
3. when the form is submitted a javascipt function takes the key and
hashes the password with the key (and otherstuff)
4. the auth program then looks at the users session stuff finds the
key that it generated, from when the user first requested the page.
5. uses the session key and the users password from the database and
hashes those together.
6. if they match then the following was true.
- user currently has the currect session (expires after time)
- user currently has the corrrect (psudo secret) key (expires
after time)
- user is from the same ip (optional)
- user had entered the correct password.
7. on fail or success, the key is marked as stale (expired). If it
failed a new key is generated, and we restart the login form
process.
So.. if you followed that and I explained it well enough...
if you do sniff the hash, the key, and the session. You will have to
get your request in before the key becomes stale, otherwise that
information you have is bad. In most cases the authentication is the
first thing done so we're dealing with micro seconds.
You can check the code out if you want its over on sourceforge
(called DiggerAuth).
Curt
--
"I used to think I was indecisive, but now I'm not so sure."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
