The best thing will be to sync clock, if it's in an other time zone just
get your script to do +x or -x. Even they hours are not really
important, except that if you use it as a key, they minutes are
important. It's easy to sync time if it's for they admin, but for the
user at large it's not possible. Or before sending your generated key
you could get time from the server and generate they appropriate key
using your key + time.
For the client-side stuff, well it is not a problem for they admin of
the site, since it will be they only one to use this kind of
authentification, but if you want to use it for every user you need a
key that both know, so even if you have they algorithm you need the key
to have the good result. You could use the IP adress to make the key,
both know it (well not really ...), some people will not be able to use
it, people who work in a corporate environment and use internal IP
adress in house and use an other IP adress when they get on they
Imternet (masquering), so the IP adress on the client side and on the
server side is not the same.
Or at subscription time to make a cookie with the key and keep the key
somewhere on the server side, extract the key only in the client side
everytime after that to connect, so you only have a one time clear text
key/password exchange on the net. Everytime after that a new key will be
generated with the cookie key combined with the password and the
samethings will be made on the server.You could even use the key to
encrypt all data that are send to the server from the client, so that
way you have a cheap secure connection, eh I'm starting to mimic
SSH,SSL,...?
Anyway whe could have fun making it! ;)
P.S. Sorry for my crappy english, my native language is french so ...
P.S.2. Sometime I talk about two key, I need a key (paraphrase?) to
start my algorithm to have they final key.
Sheridan Saint-Michel wrote:
>
> How do you get around the Server and client running on different times?
> I would think that would screw up the system as they would be generating
> them
> at different times?
>
> Other than that possible problem I like the idea.
> However, I would like to point out that anything done client-side can not
> be completely secure as anyone can get your algorithm from the JavaScript.
>
> Maybe You could devise some system with keys where the PHP page would
> write the Javascript Function with a different key based on time or
> something?
> That might work.
>
> Thoughts?
> Sheridan
>
> ----- Original Message -----
> From: Francis Fillion <[EMAIL PROTECTED]>
> To: Tom Malone <[EMAIL PROTECTED]>
> Cc: PHP Users <[EMAIL PROTECTED]>
> Sent: Thursday, July 19, 2001 5:14 PM
> Subject: Re: [PHP] encryption
>
> > One of my friends has a rsa key somethings, what it does is that at
> > every few minutes it generate a random number so for login on his server
> > he need this random key and his password to get in, the server generate
> > the same key as his rsa key and has his password.
> >
> > SO the best things to do will be to make two program that use something
> > to generate a random alphanumeric something on the server side and on
> > your client side so when you connect to the server both have you has
> > this key + your password, if it's OK it start a PHP session. And the key
> > should be regenerated once you have login. SO even if somebody extract
> > the clear text key+password from your connection he can't connect
> > because this key+password is already passdue, the only possible attack
> > then is to find the algorithm that you use+password, by changing your
> > algorithm once in a while you can really limit this, they other attack
> > could be a man in the middle attack, that could hurt.
> >
> > Good idea, I have to use this (let's put-it down on my project
> > list,...), I could even put the generate stuff on my pda, I could login
> > from anywhere... ;)
> >
> > Tom Malone wrote:
> > >
> > > I guess I should clarify - I'm just making a login for myself for the
> admin
> > > section of my website, so I only need to be able to protect my own
> password.
> > > I'm not sure if that information if helpful at all, but I haven't been
> able
> > > to figure out how to do it.
> > >
> > > Tom
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, July 19, 2001 3:21 PM
> > > To: Sheridan Saint-Michel
> > > Cc: php-general
> > > Subject: Re: [PHP] encryption
> > >
> > > Ahh, well then, another solution could be to use SSL, depends on your
> > > application weather you can get away with using an unsigned certificate
> > > (free) or
> > > weather you will need to pay a company like verisign to prove your
> identity.
> > >
> > > With an unsigned certificate the browser will warn the user that the
> > > certificate says
> > > it's you, but it's not proven by a CA so it might not be you.
> > >
> > > The JavaScript MD5 tenique is an interesting way of doing it, but i
> don't
> > > think it's
> > > any more secure. If a hacker sniffs the md5 hash how is that any
> diffrent
> > > than him
> > > sniffing a plain text password? You're comparing hashes, so as long as
> he
> > > has the hash
> > > he's in.
> > >
> > > On Thu, Jul 19, 2001 at 01:58:43PM -0500, Sheridan Saint-Michel wrote:
> > > > The problem he is addressing is that the password is sent plaintext to
> the
> > > > server before it ever gets to MySQL.
> > > >
> > > > I would suggest using a JavaScript program like this
> > > > http://pajhome.org.uk/crypt/md5/md5src.html
> > > >
> > > > and then using the PHP md5 function on the server side and comparing
> the
> > > two
> > > > results.
> > > > That way the only thing that ever gets transmitted is an md5 hash =P
> > > >
> > > > Sheridan
> > > >
> > > > ----- Original Message -----
> > > > From: Jeff Bearer <[EMAIL PROTECTED]>
> > > > To: Tom Malone <[EMAIL PROTECTED]>
> > > > Cc: PHP Users <[EMAIL PROTECTED]>
> > > > Sent: Thursday, July 19, 2001 12:17 PM
> > > > Subject: Re: [PHP] encryption
> > > >
> > > >
> > > > > I'd use the password function in mysql to store encrypted passwords,
> > > I'd
> > > > be interested to hear
> > > > > if anyone has a reason that doing this is not a good idea.
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> > > > > > Hello!
> > > > > >
> > > > > > I have a small problem. On my website there is some information I
> > > would
> > > > like
> > > > > > to protect. Right now I am using .htaccess to password-protect the
> > > > > > directory, but I was thinking about using php and a form with
> > > > > > usernames/passwords in a MySQL database. Thankfully, I read the
> > > > following in
> > > > > > the manual right before I was about to use the crypt() function to
> > > > encrypt
> > > > > > my password and compare it to the encrypted hash in the DB:
> > > > > >
> > > > > > "It seems that a lot of people don't understand the point of using
> > > > one-way
> > > > > > encryption. More importantly, a lot of web designers forget that
> PHP
> > > > > > encryption is done entirely on the web server, not the client.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Point being, if your form has a password input option and the user
> > > > clicks
> > > > > > SUBMIT, the password is then sent _as plain text_ over the
> Internet to
> > > > the
> > > > > > web server where it is then encrypted for comparison against a
> > > password
> > > > > > database.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Do _not_ use these types of functions to add security to a form
> unless
> > > > > > you're using an SSL or TLS (etc.) encrypted session. The only
> > > potential
> > > > way
> > > > > > around this issue is for you to write a JavaScript program that
> does
> > > the
> > > > > > hashing on the client side before being sent over the Internet
> (which
> > > > would
> > > > > > make this function unnecessary)."
> > > > > >
> > > > > > I am pretty new to PHP and absolutely clueless as far as
> > > > > > encryption/algorithims are concerned. Could anyone possibly point
> me
> > > to
> > > > a
> > > > > > viable solution for this problem?
> > > > > >
> > > > > > Thanks in advance!
> > > > > >
> > > > > > Tom Malone
> > > > > >
> > >
> > > --
> > > Jeff Bearer, RHCE
> > > Webmaster
> > > PittsburghLIVE.com
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> > --
> > Francis Fillion, BAA SI
> > Broadcasting live from his linux box.
> > And the maintainer of http://www.windplanet.com
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
Francis Fillion, BAA SI
Broadcasting live from his linux box.
And the maintainer of http://www.windplanet.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]