I don't care what you say, all you need is Secure-Socket-Layer contrary to what you may believe, you don't need a beefy server to implement it. I had apache+ssl+php+mysql running quite well on a 486 DX4/100 with 64MB ram. Decrypting is worse than you think. Anything you can decrypt, so can someone who is sniffing (with time). This is why one-way hashes are used. MD5 is a one-way hash, i.e. it CANNOT be read the other way (decrypted). Aside from that, especially in regards to passwords, do not decrypt, EVER. If security is that much of a concern that you need this functionality and for some reason you can't run SSL, then upgrade the box (altho I don't think you would really need to).
Matt ----- Original Message ----- From: José León Serna <[EMAIL PROTECTED]> To: Jason Sheets <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 12:13 PM Subject: Re: [PHP] RSA implementation El lun, 17-02-2003 a las 15:33, Jason Sheets escribió: > If all you are doing is trying to allow a user to change their password > you do not need decryption, all you need to do is md5 the new password > and update the database. And what happens if this MD5 is sniffed? Any one can make a POST again the login script and authenticate. I don't use SSL, due hardware restrictions, it's a lightweight server and I need log this way: -I generate the login script with a random key -When the user submits the form, the password is encrypted using javascript this way: sent_pass=md5(entered_pass+random_key). -This random key is stored on the server, so I can md5 again with the "plain text" user password and the random key to authenticate. In any case (ok or not) I regenerate the random key, so this data is sniffed, it's not useful Now I want to enable the user change the password, so I need decription on the sever, because I need to know the password in plain text. Regards. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
