How do you get around the Server and client running on different times?
I would think that would screw up the system as they would be generating
them
at different times?
Other than that possible problem I like the idea.
However, I would like to point out that anything done client-side can not
be completely secure as anyone can get your algorithm from the JavaScript.
Maybe You could devise some system with keys where the PHP page would
write the Javascript Function with a different key based on time or
something?
That might work.
Thoughts?
Sheridan
----- Original Message -----
From: Francis Fillion <[EMAIL PROTECTED]>
To: Tom Malone <[EMAIL PROTECTED]>
Cc: PHP Users <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 5:14 PM
Subject: Re: [PHP] encryption
> One of my friends has a rsa key somethings, what it does is that at
> every few minutes it generate a random number so for login on his server
> he need this random key and his password to get in, the server generate
> the same key as his rsa key and has his password.
>
> SO the best things to do will be to make two program that use something
> to generate a random alphanumeric something on the server side and on
> your client side so when you connect to the server both have you has
> this key + your password, if it's OK it start a PHP session. And the key
> should be regenerated once you have login. SO even if somebody extract
> the clear text key+password from your connection he can't connect
> because this key+password is already passdue, the only possible attack
> then is to find the algorithm that you use+password, by changing your
> algorithm once in a while you can really limit this, they other attack
> could be a man in the middle attack, that could hurt.
>
> Good idea, I have to use this (let's put-it down on my project
> list,...), I could even put the generate stuff on my pda, I could login
> from anywhere... ;)
>
> Tom Malone wrote:
> >
> > I guess I should clarify - I'm just making a login for myself for the
admin
> > section of my website, so I only need to be able to protect my own
password.
> > I'm not sure if that information if helpful at all, but I haven't been
able
> > to figure out how to do it.
> >
> > Tom
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 19, 2001 3:21 PM
> > To: Sheridan Saint-Michel
> > Cc: php-general
> > Subject: Re: [PHP] encryption
> >
> > Ahh, well then, another solution could be to use SSL, depends on your
> > application weather you can get away with using an unsigned certificate
> > (free) or
> > weather you will need to pay a company like verisign to prove your
identity.
> >
> > With an unsigned certificate the browser will warn the user that the
> > certificate says
> > it's you, but it's not proven by a CA so it might not be you.
> >
> > The JavaScript MD5 tenique is an interesting way of doing it, but i
don't
> > think it's
> > any more secure. If a hacker sniffs the md5 hash how is that any
diffrent
> > than him
> > sniffing a plain text password? You're comparing hashes, so as long as
he
> > has the hash
> > he's in.
> >
> > On Thu, Jul 19, 2001 at 01:58:43PM -0500, Sheridan Saint-Michel wrote:
> > > The problem he is addressing is that the password is sent plaintext to
the
> > > server before it ever gets to MySQL.
> > >
> > > I would suggest using a JavaScript program like this
> > > http://pajhome.org.uk/crypt/md5/md5src.html
> > >
> > > and then using the PHP md5 function on the server side and comparing
the
> > two
> > > results.
> > > That way the only thing that ever gets transmitted is an md5 hash =P
> > >
> > > Sheridan
> > >
> > > ----- Original Message -----
> > > From: Jeff Bearer <[EMAIL PROTECTED]>
> > > To: Tom Malone <[EMAIL PROTECTED]>
> > > Cc: PHP Users <[EMAIL PROTECTED]>
> > > Sent: Thursday, July 19, 2001 12:17 PM
> > > Subject: Re: [PHP] encryption
> > >
> > >
> > > > I'd use the password function in mysql to store encrypted passwords,
> > I'd
> > > be interested to hear
> > > > if anyone has a reason that doing this is not a good idea.
> > > >
> > > >
> > > >
> > > > On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> > > > > Hello!
> > > > >
> > > > > I have a small problem. On my website there is some information I
> > would
> > > like
> > > > > to protect. Right now I am using .htaccess to password-protect the
> > > > > directory, but I was thinking about using php and a form with
> > > > > usernames/passwords in a MySQL database. Thankfully, I read the
> > > following in
> > > > > the manual right before I was about to use the crypt() function to
> > > encrypt
> > > > > my password and compare it to the encrypted hash in the DB:
> > > > >
> > > > > "It seems that a lot of people don't understand the point of using
> > > one-way
> > > > > encryption. More importantly, a lot of web designers forget that
PHP
> > > > > encryption is done entirely on the web server, not the client.
> > > > >
> > > > >
> > > > >
> > > > > Point being, if your form has a password input option and the user
> > > clicks
> > > > > SUBMIT, the password is then sent _as plain text_ over the
Internet to
> > > the
> > > > > web server where it is then encrypted for comparison against a
> > password
> > > > > database.
> > > > >
> > > > >
> > > > >
> > > > > Do _not_ use these types of functions to add security to a form
unless
> > > > > you're using an SSL or TLS (etc.) encrypted session. The only
> > potential
> > > way
> > > > > around this issue is for you to write a JavaScript program that
does
> > the
> > > > > hashing on the client side before being sent over the Internet
(which
> > > would
> > > > > make this function unnecessary)."
> > > > >
> > > > > I am pretty new to PHP and absolutely clueless as far as
> > > > > encryption/algorithims are concerned. Could anyone possibly point
me
> > to
> > > a
> > > > > viable solution for this problem?
> > > > >
> > > > > Thanks in advance!
> > > > >
> > > > > Tom Malone
> > > > >
> >
> > --
> > Jeff Bearer, RHCE
> > Webmaster
> > PittsburghLIVE.com
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> --
> Francis Fillion, BAA SI
> Broadcasting live from his linux box.
> And the maintainer of http://www.windplanet.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
