That is Complicated. if it's just for admins personal use, I'd say
set up a secure sever and use your own certifiacate.
On Fri, Jul 20, 2001 at 10:17:30AM -0400, Francis Fillion wrote:
> The best thing will be to sync clock, if it's in an other time zone just
> get your script to do +x or -x. Even they hours are not really
> important, except that if you use it as a key, they minutes are
> important. It's easy to sync time if it's for they admin, but for the
> user at large it's not possible. Or before sending your generated key
> you could get time from the server and generate they appropriate key
> using your key + time.
>
> For the client-side stuff, well it is not a problem for they admin of
> the site, since it will be they only one to use this kind of
> authentification, but if you want to use it for every user you need a
> key that both know, so even if you have they algorithm you need the key
> to have the good result. You could use the IP adress to make the key,
> both know it (well not really ...), some people will not be able to use
> it, people who work in a corporate environment and use internal IP
> adress in house and use an other IP adress when they get on they
> Imternet (masquering), so the IP adress on the client side and on the
> server side is not the same.
>
> Or at subscription time to make a cookie with the key and keep the key
> somewhere on the server side, extract the key only in the client side
> everytime after that to connect, so you only have a one time clear text
> key/password exchange on the net. Everytime after that a new key will be
> generated with the cookie key combined with the password and the
> samethings will be made on the server.You could even use the key to
> encrypt all data that are send to the server from the client, so that
> way you have a cheap secure connection, eh I'm starting to mimic
> SSH,SSL,...?
>
> Anyway whe could have fun making it! ;)
>
> P.S. Sorry for my crappy english, my native language is french so ...
>
> P.S.2. Sometime I talk about two key, I need a key (paraphrase?) to
> start my algorithm to have they final key.
>
> Sheridan Saint-Michel wrote:
> >
> > How do you get around the Server and client running on different times?
> > I would think that would screw up the system as they would be generating
> > them
> > at different times?
> >
> > Other than that possible problem I like the idea.
> > However, I would like to point out that anything done client-side can not
> > be completely secure as anyone can get your algorithm from the JavaScript.
> >
> > Maybe You could devise some system with keys where the PHP page would
> > write the Javascript Function with a different key based on time or
> > something?
> > That might work.
> >
> > Thoughts?
> > Sheridan
> >
> > ----- Original Message -----
> > From: Francis Fillion <[EMAIL PROTECTED]>
> > To: Tom Malone <[EMAIL PROTECTED]>
> > Cc: PHP Users <[EMAIL PROTECTED]>
> > Sent: Thursday, July 19, 2001 5:14 PM
> > Subject: Re: [PHP] encryption
> >
> > > One of my friends has a rsa key somethings, what it does is that at
> > > every few minutes it generate a random number so for login on his server
> > > he need this random key and his password to get in, the server generate
> > > the same key as his rsa key and has his password.
> > >
> > > SO the best things to do will be to make two program that use something
> > > to generate a random alphanumeric something on the server side and on
> > > your client side so when you connect to the server both have you has
> > > this key + your password, if it's OK it start a PHP session. And the key
> > > should be regenerated once you have login. SO even if somebody extract
> > > the clear text key+password from your connection he can't connect
> > > because this key+password is already passdue, the only possible attack
> > > then is to find the algorithm that you use+password, by changing your
> > > algorithm once in a while you can really limit this, they other attack
> > > could be a man in the middle attack, that could hurt.
> > >
> > > Good idea, I have to use this (let's put-it down on my project
> > > list,...), I could even put the generate stuff on my pda, I could login
> > > from anywhere... ;)
> > >
> > > Tom Malone wrote:
> > > >
> > > > I guess I should clarify - I'm just making a login for myself for the
> > admin
> > > > section of my website, so I only need to be able to protect my own
> > password.
> > > > I'm not sure if that information if helpful at all, but I haven't been
> > able
> > > > to figure out how to do it.
> > > >
> > > > Tom
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, July 19, 2001 3:21 PM
> > > > To: Sheridan Saint-Michel
> > > > Cc: php-general
> > > > Subject: Re: [PHP] encryption
> > > >
> > > > Ahh, well then, another solution could be to use SSL, depends on your
> > > > application weather you can get away with using an unsigned certificate
> > > > (free) or
> > > > weather you will need to pay a company like verisign to prove your
> > identity.
> > > >
> > > > With an unsigned certificate the browser will warn the user that the
> > > > certificate says
> > > > it's you, but it's not proven by a CA so it might not be you.
> > > >
> > > > The JavaScript MD5 tenique is an interesting way of doing it, but i
> > don't
> > > > think it's
> > > > any more secure. If a hacker sniffs the md5 hash how is that any
> > diffrent
> > > > than him
> > > > sniffing a plain text password? You're comparing hashes, so as long as
> > he
> > > > has the hash
> > > > he's in.
> > > >
> > > > On Thu, Jul 19, 2001 at 01:58:43PM -0500, Sheridan Saint-Michel wrote:
> > > > > The problem he is addressing is that the password is sent plaintext to
> > the
> > > > > server before it ever gets to MySQL.
> > > > >
> > > > > I would suggest using a JavaScript program like this
> > > > > http://pajhome.org.uk/crypt/md5/md5src.html
> > > > >
> > > > > and then using the PHP md5 function on the server side and comparing
> > the
> > > > two
> > > > > results.
> > > > > That way the only thing that ever gets transmitted is an md5 hash =P
> > > > >
> > > > > Sheridan
> > > > >
> > > > > ----- Original Message -----
> > > > > From: Jeff Bearer <[EMAIL PROTECTED]>
> > > > > To: Tom Malone <[EMAIL PROTECTED]>
> > > > > Cc: PHP Users <[EMAIL PROTECTED]>
> > > > > Sent: Thursday, July 19, 2001 12:17 PM
> > > > > Subject: Re: [PHP] encryption
> > > > >
> > > > >
> > > > > > I'd use the password function in mysql to store encrypted passwords,
> > > > I'd
> > > > > be interested to hear
> > > > > > if anyone has a reason that doing this is not a good idea.
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> > > > > > > Hello!
> > > > > > >
> > > > > > > I have a small problem. On my website there is some information I
> > > > would
> > > > > like
> > > > > > > to protect. Right now I am using .htaccess to password-protect the
> > > > > > > directory, but I was thinking about using php and a form with
> > > > > > > usernames/passwords in a MySQL database. Thankfully, I read the
> > > > > following in
> > > > > > > the manual right before I was about to use the crypt() function to
> > > > > encrypt
> > > > > > > my password and compare it to the encrypted hash in the DB:
> > > > > > >
> > > > > > > "It seems that a lot of people don't understand the point of using
> > > > > one-way
> > > > > > > encryption. More importantly, a lot of web designers forget that
> > PHP
> > > > > > > encryption is done entirely on the web server, not the client.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Point being, if your form has a password input option and the user
> > > > > clicks
> > > > > > > SUBMIT, the password is then sent _as plain text_ over the
> > Internet to
> > > > > the
> > > > > > > web server where it is then encrypted for comparison against a
> > > > password
> > > > > > > database.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Do _not_ use these types of functions to add security to a form
> > unless
> > > > > > > you're using an SSL or TLS (etc.) encrypted session. The only
> > > > potential
> > > > > way
> > > > > > > around this issue is for you to write a JavaScript program that
> > does
> > > > the
> > > > > > > hashing on the client side before being sent over the Internet
> > (which
> > > > > would
> > > > > > > make this function unnecessary)."
> > > > > > >
> > > > > > > I am pretty new to PHP and absolutely clueless as far as
> > > > > > > encryption/algorithims are concerned. Could anyone possibly point
> > me
> > > > to
> > > > > a
> > > > > > > viable solution for this problem?
> > > > > > >
> > > > > > > Thanks in advance!
> > > > > > >
> > > > > > > Tom Malone
> > > > > > >
> > > >
> > > > --
> > > > Jeff Bearer, RHCE
> > > > Webmaster
> > > > PittsburghLIVE.com
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> > >
> > > --
> > > Francis Fillion, BAA SI
> > > Broadcasting live from his linux box.
> > > And the maintainer of http://www.windplanet.com
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> --
> Francis Fillion, BAA SI
> Broadcasting live from his linux box.
> And the maintainer of http://www.windplanet.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
Jeff Bearer, RHCE
Webmaster
PittsburghLIVE.com
PGP signature
