ok,
here's an idea:
Either use a script off the web, or write your own:
During the initial SSL session setup:
- send an e-mail to the client with a web page attached.
(include instructions in the e-mail)
Put javascript into the page to decrypt RC5 (apparently you can get a
patch for MySQL to enable RC5 functionality)
- During the session put the client's key & encrypted login details into a
text file & have them save it to their hard disk
- When the client wishes to view their login information, instruct the
client to:
- open the web page atached to the e-mail
- use a form in the web page to browse for the text file they saved to
their hard disk
- use the RC5 decryption script embedded in the web page to decrypt
the client login info
or something like that...
cheers,
Gav
-----Original Message-----
From: Aaron Wolski [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 20 November 2002 1:01 AM
To: 'Jeremy Wilson'; 'Jason Vincent'; [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Email Encryption?
Hi All,
I want to thank everyone for their suggestion.
A short term solution we're simply going to remove the "username" from
the email. This way if a hacker does obtain the email they don't have
the complete details to gain access to the users account.
I would like to know more about the code supplied below though.
How does this work?
As long as they HAVE a string that gets compared in the DB then what
good is this? They can still gain access to the users account.
Thanks again.
Aaron
-----Original Message-----
From: Jeremy Wilson [mailto:[EMAIL PROTECTED]]
Sent: November 16, 2002 1:08 PM
To: 'Aaron Wolski'; 'Jason Vincent'; [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Email Encryption?
$encrypted_string = md5(base64_encode($var.'secret key'));
Pass the user name or password to $var and place text in to replace the
words 'secret key'.
-----Original Message-----
From: Aaron Wolski [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 15, 2002 8:45 AM
To: 'Jason Vincent'; [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Email Encryption?
Well.
Its not what they want.. it what one of their clients want (very big
corporation with very unrealistic security standards - you'd think they
were NASA or something *grumble*)
Their thought is that someone could hack the received email, login to
the store using the publically displayed logins details and reek havoc
on the store, etc.
*shrugs* Sadly this isn't open for debate as a solutions IS required.
Any thoughts?
Aaron
-----Original Message-----
From: Jason Vincent [mailto:[EMAIL PROTECTED]]
Sent: November 15, 2002 11:42 AM
To: Aaron Wolski; [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Email Encryption?
Why email? If the Admin tool uses SSL, that is all you need.
Regards,
J
-----Original Message-----
From: Aaron Wolski [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 15, 2002 11:39 AM
To: 'Aaron Wolski'; [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Email Encryption?
Just thinking here..
PGP is not an option as it would mean EACH user being setup would need
the company's public key to decrypt. Not possible as they setup a few
hundred accounts each month.
Hmm.. anything else?
Argh :(
Aaron
-----Original Message-----
From: Aaron Wolski [mailto:[EMAIL PROTECTED]]
Sent: November 15, 2002 11:36 AM
To: [EMAIL PROTECTED]
Subject: [PHP-DB] Email Encryption?
<OFFTOPIC>
Sorry for the off topic guys..
But I've just been informed that an application we developed for a
client whereby they use an Admin tool to setup user accounts into their
store needs to have the login (username and password) encrypted.
I am thinking PGP for this but to be honest I've never really worked
with PGP and wouldn't have the first clue.
Does anyone have any experience with this or can offer and advise at
all?
Again, sorry for the OT discussion.
Aaron
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
This e-mail and any attachments are intended solely for the named addressee,
are confidential and may contain legally privileged information.
The copying or distribution of them or of any information they contain, by
anyone other than the addressee, is prohibited. If you received this e-mail
in error, please notify us immediately by return e-mail or telephone +61 2
9413 2944 and destroy the original message. Thank you.
As Email is subject to viruses we advise that all Emails and any attachments
should be scanned by an up to-date Anti Virus programme automatically by
your system. It is the responsibility of the recipient to ensure that all
Emails and any attachments are cleared of Viruses before opening. KSG can
not accept any responsibility for viruses that maybe contained here in.
Please advise KSG by return Email if you believe any Email sent by our
system may contain a virus. It should be noted that most Anti Virus
programmes can not scan encrypted file attachments (example - documents
saved with a password). Thus extra care should be taken when opening these
files.
Liability limited by the Accountants Scheme, approved under the Professional
Standards Act 1994 (NSW).
Level 4
54 Neridah Street PO Box 1290
CHATSWOOD NSW 2067 CHATSWOOD NSW 2057
Ph: +61 2 9413 2944 Fax: +61 2 9413 9901
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
