Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
This has been solved - the extra characters are stored in session, otherwise attacker can repeat it too. Password can be stored on the server using one way has - on the client the script hashes twice, first to get hashed password, then together with random string Gerald Timothy Quimpo wrote: On Saturday 11 January 2003 12:12 am, Scott Fletcher wrote: The only thing that is important to me is that the password get encrypted before transmitting across the internet. from other posts further in the thread it looks like you aren't ready to use https. that's too bad. that would really be the right solution. but since you must hash, one problem with hashing is, it is still necessary to have the hash vary from one invocation to another. otherwise, if the hash is the same every time the user logs in (i.e., if all you do is take the password and run it through md5), then anyone who can sniff the hash will be able to replay a login. unfortunately, if you want the hash to be different from one invocation to the next, then the password cannot be stored on the server as a one-way hash. instead, it would be either plaintext or encrypted on the server. this way, when you want to send the hash over the internet, instead of just hashing the password, you can generate a few extra characters. append (or prepend) the characters to the password. then hash the whole thing. then, when you send the hash over, send the extra characters too. on the server side, you would then take the password from the database (or wherever), decrypt it (if it's encrypted), append or prepend the extra characters, hash the whole thing, and compare the hashes. tiger -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
Yea, the hacker would guess a random number in html javascript but the hacker have no way of putting it into php on the server-side. So, we get two different random number and a invalid match. Marek Kilimajer [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This has been solved - the extra characters are stored in session, otherwise attacker can repeat it too. Password can be stored on the server using one way has - on the client the script hashes twice, first to get hashed password, then together with random string Gerald Timothy Quimpo wrote: On Saturday 11 January 2003 12:12 am, Scott Fletcher wrote: The only thing that is important to me is that the password get encrypted before transmitting across the internet. from other posts further in the thread it looks like you aren't ready to use https. that's too bad. that would really be the right solution. but since you must hash, one problem with hashing is, it is still necessary to have the hash vary from one invocation to another. otherwise, if the hash is the same every time the user logs in (i.e., if all you do is take the password and run it through md5), then anyone who can sniff the hash will be able to replay a login. unfortunately, if you want the hash to be different from one invocation to the next, then the password cannot be stored on the server as a one-way hash. instead, it would be either plaintext or encrypted on the server. this way, when you want to send the hash over the internet, instead of just hashing the password, you can generate a few extra characters. append (or prepend) the characters to the password. then hash the whole thing. then, when you send the hash over, send the extra characters too. on the server side, you would then take the password from the database (or wherever), decrypt it (if it's encrypted), append or prepend the extra characters, hash the whole thing, and compare the hashes. tiger -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
The way you want it can be securely done only using asymetric
encryption, which is not available to JS.
Do you really need to encrypt user_id? You could use md5 to hash
password with some random string,
store the hash in a hidden field and erase password. On server side if
the hidden field is set compare it
whith a hash you create with password and the random string (keep the
string as a session variable, don't
pass it as a form hidden field). If the hidden hash field is not set,
use normal procedure.
code:
server:
$_SESSION[random]=create_random_string();
client:
function onsubmit(form) {
form.hiddenfield.value= md5( md5(form.password.value) +
form.randomstring.value);
form.password.value='';
return true;
}
server:
if($_POST[hiddenfield]) {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND
'$_POST[hiddenfield]'=MD5(CONCAT(password,$_SESSION[random])));
} else {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND password=MD5($_POST[password]);
}
this example assumes passwords are stored as md5 hashes in the database
Scott Fletcher wrote:
Here's the challenging project I'm doing. I'm trying to encrypt the user_id
and password in javascript and submit it. Then have PHP to decrypt the
user_id and password. The only problem I have is I don't know what
javascript function or javascript algorithm that can also work the same way
as the php function or php algorithm. Anybody know?
Thanks,
FletchSOD
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
I'll look into this and try it out. The only thing that is important to me
is that the password get encrypted before transmitting across the internet.
I'm not worry if the JS is disabled because if it is then the login will
never be authenticated. I'll keep on exploring for way to increase
security. Thanks for the response.
Marek Kilimajer [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
The way you want it can be securely done only using asymetric
encryption, which is not available to JS.
Do you really need to encrypt user_id? You could use md5 to hash
password with some random string,
store the hash in a hidden field and erase password. On server side if
the hidden field is set compare it
whith a hash you create with password and the random string (keep the
string as a session variable, don't
pass it as a form hidden field). If the hidden hash field is not set,
use normal procedure.
code:
server:
$_SESSION[random]=create_random_string();
client:
function onsubmit(form) {
form.hiddenfield.value= md5( md5(form.password.value) +
form.randomstring.value);
form.password.value='';
return true;
}
server:
if($_POST[hiddenfield]) {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND
'$_POST[hiddenfield]'=MD5(CONCAT(password,$_SESSION[random])));
} else {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND password=MD5($_POST[password]);
}
this example assumes passwords are stored as md5 hashes in the database
Scott Fletcher wrote:
Here's the challenging project I'm doing. I'm trying to encrypt the
user_id
and password in javascript and submit it. Then have PHP to decrypt the
user_id and password. The only problem I have is I don't know what
javascript function or javascript algorithm that can also work the same
way
as the php function or php algorithm. Anybody know?
Thanks,
FletchSOD
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
Hey! There's no MD5 in Javascript which is why I post hte question in the
first place. Now I lost 5 hours of my time working on writing this script.
You're going to have to be careful because you had to make sure there is MD5
features in Javascript before posting a reply.
I found a workaround to it. You have to manually create a MD5 algorithm in
Javascript. I did the google search and got this, it is at
http://www-adele.imag.fr/~donsez/cours/exemplescourstechnoweb/js_securehash/
. Pretty cool, isn't it!
Take care,
Scott
Scott Fletcher [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I'll look into this and try it out. The only thing that is important to
me
is that the password get encrypted before transmitting across the
internet.
I'm not worry if the JS is disabled because if it is then the login will
never be authenticated. I'll keep on exploring for way to increase
security. Thanks for the response.
Marek Kilimajer [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
The way you want it can be securely done only using asymetric
encryption, which is not available to JS.
Do you really need to encrypt user_id? You could use md5 to hash
password with some random string,
store the hash in a hidden field and erase password. On server side if
the hidden field is set compare it
whith a hash you create with password and the random string (keep the
string as a session variable, don't
pass it as a form hidden field). If the hidden hash field is not set,
use normal procedure.
code:
server:
$_SESSION[random]=create_random_string();
client:
function onsubmit(form) {
form.hiddenfield.value= md5( md5(form.password.value) +
form.randomstring.value);
form.password.value='';
return true;
}
server:
if($_POST[hiddenfield]) {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND
'$_POST[hiddenfield]'=MD5(CONCAT(password,$_SESSION[random])));
} else {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND password=MD5($_POST[password]);
}
this example assumes passwords are stored as md5 hashes in the database
Scott Fletcher wrote:
Here's the challenging project I'm doing. I'm trying to encrypt the
user_id
and password in javascript and submit it. Then have PHP to decrypt the
user_id and password. The only problem I have is I don't know what
javascript function or javascript algorithm that can also work the same
way
as the php function or php algorithm. Anybody know?
Thanks,
FletchSOD
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
If you want to increase security then you really should use a secure connection, then everything is encrypted as well as other security measures. Even if you do encrypt the password you also need to establish and track a session to make sure it's the same computer you are communicating with, guarding against a hijacked connection. Besides, using SSL is a heck of a lot easier. Just get a certificate for the server and slap https:// on the front of the URL. I'll admit I summarized the process a bit. On Friday, January 10, 2003, at 11:12 AM, Scott Fletcher wrote: I'll look into this and try it out. The only thing that is important to me is that the password get encrypted before transmitting across the internet. I'm not worry if the JS is disabled because if it is then the login will never be authenticated. I'll keep on exploring for way to increase security. -- Brent Baisley Systems Architect Landover Associates, Inc. Search Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
Really, pretty cool. I don't know why I was so sure there was a md5
function in javascript (propably because I thought is was everywhere -
untill now). Thanks for the link.
Scott Fletcher wrote:
Hey! There's no MD5 in Javascript which is why I post hte question in the
first place. Now I lost 5 hours of my time working on writing this script.
You're going to have to be careful because you had to make sure there is MD5
features in Javascript before posting a reply.
I found a workaround to it. You have to manually create a MD5 algorithm in
Javascript. I did the google search and got this, it is at
http://www-adele.imag.fr/~donsez/cours/exemplescourstechnoweb/js_securehash/
. Pretty cool, isn't it!
Take care,
Scott
Scott Fletcher [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I'll look into this and try it out. The only thing that is important to
me
is that the password get encrypted before transmitting across the
internet.
I'm not worry if the JS is disabled because if it is then the login will
never be authenticated. I'll keep on exploring for way to increase
security. Thanks for the response.
Marek Kilimajer [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
The way you want it can be securely done only using asymetric
encryption, which is not available to JS.
Do you really need to encrypt user_id? You could use md5 to hash
password with some random string,
store the hash in a hidden field and erase password. On server side if
the hidden field is set compare it
whith a hash you create with password and the random string (keep the
string as a session variable, don't
pass it as a form hidden field). If the hidden hash field is not set,
use normal procedure.
code:
server:
$_SESSION[random]=create_random_string();
client:
function onsubmit(form) {
form.hiddenfield.value= md5( md5(form.password.value) +
form.randomstring.value);
form.password.value='';
return true;
}
server:
if($_POST[hiddenfield]) {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND
'$_POST[hiddenfield]'=MD5(CONCAT(password,$_SESSION[random])));
} else {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND password=MD5($_POST[password]);
}
this example assumes passwords are stored as md5 hashes in the database
Scott Fletcher wrote:
Here's the challenging project I'm doing. I'm trying to encrypt the
user_id
and password in javascript and submit it. Then have PHP to decrypt the
user_id and password. The only problem I have is I don't know what
javascript function or javascript algorithm that can also work the same
way
as the php function or php algorithm. Anybody know?
Thanks,
FletchSOD
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
Some people don't need it so sophisticated, besides you need your own IP to use SSL, and that's the problem with virtual hosts. Brent Baisley wrote: If you want to increase security then you really should use a secure connection, then everything is encrypted as well as other security measures. Even if you do encrypt the password you also need to establish and track a session to make sure it's the same computer you are communicating with, guarding against a hijacked connection. Besides, using SSL is a heck of a lot easier. Just get a certificate for the server and slap https:// on the front of the URL. I'll admit I summarized the process a bit. On Friday, January 10, 2003, at 11:12 AM, Scott Fletcher wrote: I'll look into this and try it out. The only thing that is important to me is that the password get encrypted before transmitting across the internet. I'm not worry if the JS is disabled because if it is then the login will never be authenticated. I'll keep on exploring for way to increase security. -- Brent Baisley Systems Architect Landover Associates, Inc. Search Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
It would be nice if I can use the SSL but I don't want to spend a lot of time on it on IIS. Beside part of that website is only for internal part for my company. Beside the end user wouldn't know where hte login link is anyway. Brent Baisley [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... If you want to increase security then you really should use a secure connection, then everything is encrypted as well as other security measures. Even if you do encrypt the password you also need to establish and track a session to make sure it's the same computer you are communicating with, guarding against a hijacked connection. Besides, using SSL is a heck of a lot easier. Just get a certificate for the server and slap https:// on the front of the URL. I'll admit I summarized the process a bit. On Friday, January 10, 2003, at 11:12 AM, Scott Fletcher wrote: I'll look into this and try it out. The only thing that is important to me is that the password get encrypted before transmitting across the internet. I'm not worry if the JS is disabled because if it is then the login will never be authenticated. I'll keep on exploring for way to increase security. -- Brent Baisley Systems Architect Landover Associates, Inc. Search Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
Here's the message I got from someone. It is pretty cool!
--clip--
if U want MD5 for Java Script try down load PHPLib and search in this
package. and you will find MD5 script with Java Script.
--clip--
Marek Kilimajer [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Really, pretty cool. I don't know why I was so sure there was a md5
function in javascript (propably because I thought is was everywhere -
untill now). Thanks for the link.
Scott Fletcher wrote:
Hey! There's no MD5 in Javascript which is why I post hte question in
the
first place. Now I lost 5 hours of my time working on writing this
script.
You're going to have to be careful because you had to make sure there is
MD5
features in Javascript before posting a reply.
I found a workaround to it. You have to manually create a MD5 algorithm
in
Javascript. I did the google search and got this, it is at
http://www-adele.imag.fr/~donsez/cours/exemplescourstechnoweb/js_securehash
/
. Pretty cool, isn't it!
Take care,
Scott
Scott Fletcher [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I'll look into this and try it out. The only thing that is important to
me
is that the password get encrypted before transmitting across the
internet.
I'm not worry if the JS is disabled because if it is then the login will
never be authenticated. I'll keep on exploring for way to increase
security. Thanks for the response.
Marek Kilimajer [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
The way you want it can be securely done only using asymetric
encryption, which is not available to JS.
Do you really need to encrypt user_id? You could use md5 to hash
password with some random string,
store the hash in a hidden field and erase password. On server side if
the hidden field is set compare it
whith a hash you create with password and the random string (keep the
string as a session variable, don't
pass it as a form hidden field). If the hidden hash field is not set,
use normal procedure.
code:
server:
$_SESSION[random]=create_random_string();
client:
function onsubmit(form) {
form.hiddenfield.value= md5( md5(form.password.value) +
form.randomstring.value);
form.password.value='';
return true;
}
server:
if($_POST[hiddenfield]) {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND
'$_POST[hiddenfield]'=MD5(CONCAT(password,$_SESSION[random])));
} else {
$res=mysql_query(SELECT * FROM users WHERE user='$_POST[user]'
AND password=MD5($_POST[password]);
}
this example assumes passwords are stored as md5 hashes in the database
Scott Fletcher wrote:
Here's the challenging project I'm doing. I'm trying to encrypt the
user_id
and password in javascript and submit it. Then have PHP to decrypt
the
user_id and password. The only problem I have is I don't know what
javascript function or javascript algorithm that can also work the
same
way
as the php function or php algorithm. Anybody know?
Thanks,
FletchSOD
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
I got the script working so, I'm posting a script that work for me. If you
wanna try it out or use it then you'll need to get the MD5.js that come with
the libPHP. Just download the libPHP and pull out only one file, MD5.js and
then junk the libPHP.
I found one thing interesting about this code is that whether the login is
successfull or failed. The password will not be shown, neither is the
encrypted password. That is a good thing.
I had to create a Session ID also.
You'll have to forgive me for include some script for PHP 4.0.6 and PHP
4.2.3 since I'm stuck with one of the employee who doesn't have time to
upgrade one of the website.
--clip--
?
//PHP 4.0.x Only ==
if ($auth == true) {
//Initialize the Session Cookie..
@session_start();
@session_register(admin_detail);
//=
//PHP 4.2.x Only ==
//if ($_REQUEST['auth'] == true) {
// //Initialize the Session Cookie..
// @session_start();
//=
$SID = session_name().=.session_id();
//PHP 4.0.x Only ==
//Validating the User's Login Attempt.
if (($user == administrator)($HiddenField ==
md5(md5(passwordExample123).$admin_detail['random_number']))) {
//=
//PHP 4.2.x Only =
Validating the User's Login Attempt.
//if (($_REQUEST['user'] == administrator)($_REQUEST['HiddenField']
== md5(md5(passwordExample123).$_SESSION['random_number']))) {
//=
header(Location:
http://www.whatever.com/admin/main_index.php?$SID;);
} else {
$login_action = Failed!!;
}
} else {
//Creation of the Session ID.
$salt = strtoupper(md5(uniqid(rand(;
session_id($salt);
session_start();
//PHP 4.0.x Only ==
session_register('admin_detail');
$admin_detail['random_number'] = rand();
//=
//PHP 4.2.x Only ===
//$_SESSION['random_number'] = rand();
//=
}
?
script language=javascript1.2 src=scripts/md5.js
type=text/javascript/script
script language=javascript1.2 type=text/javascript
function encryptPass(formObj) {
formObj.HiddenField.value =
MD5(MD5(formObj.pass.value)+formObj.RandomString.value);
formObj.pass.value=;
return true;
}
/script
? echo form name='LoginForm' method='post'
action='dp_admin_auth.php?.SID.auth=true'
onSubmit='encryptPass(document.LoginForm)'; ?
table border=0 cellpadding=0 cellspacing=0 align=center
width=600
tr
td class=normal
nbsp;nbsp;nbsp;nbsp;nbsp;
Use the Login to access the Administration Site.
/td
td
table border='1' align='right'
tr
td
table width='175' cellpadding='0' cellspacing='0' border='0'
tr
td align='center'br
Username:
input type='text' name='user' size='10' maxlength='14'
brbr
Password:
input type='password' name='pass' size='10' maxlength='14'
brbr
/td
/tr
tr
td align='center'
input type='submit' value=' Login 'nbsp;nbsp;
input type='reset' value=' Clear 'brbr
?
//PHP 4.0.x Only ==
echo input type='hidden' name='RandomString'
value='.$admin_detail['random_number'].';
//=
//PHP 4.2.3 Only
//echo input type='hidden' name='RandomString'
value='.$_SESSION['random_number'].';
//=
echo input type='hidden' name='HiddenField' value='Null';
?
/td
/tr
/table
/td
/tr
/table
/td
/tr
tr
td class=dp_support1
?
if($login_action == Failed!!) {
echo nbsp;nbsp;nbsp;nbsp;nbsp;span
style='color:#FF;'The Login Attempt had Failed!!/span;
}
?
/td
/tr
/table
/form
--clip--
Enjoy!
FletchSOD
Scott Fletcher [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Here's the message I got from someone. It is pretty cool!
--clip--
if U want MD5 for Java Script try down load PHPLib and search in this
package. and you will find MD5 script with Java Script.
--clip--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypt in Javascript and Decrypt in PHP????
On Saturday 11 January 2003 12:12 am, Scott Fletcher wrote: The only thing that is important to me is that the password get encrypted before transmitting across the internet. from other posts further in the thread it looks like you aren't ready to use https. that's too bad. that would really be the right solution. but since you must hash, one problem with hashing is, it is still necessary to have the hash vary from one invocation to another. otherwise, if the hash is the same every time the user logs in (i.e., if all you do is take the password and run it through md5), then anyone who can sniff the hash will be able to replay a login. unfortunately, if you want the hash to be different from one invocation to the next, then the password cannot be stored on the server as a one-way hash. instead, it would be either plaintext or encrypted on the server. this way, when you want to send the hash over the internet, instead of just hashing the password, you can generate a few extra characters. append (or prepend) the characters to the password. then hash the whole thing. then, when you send the hash over, send the extra characters too. on the server side, you would then take the password from the database (or wherever), decrypt it (if it's encrypted), append or prepend the extra characters, hash the whole thing, and compare the hashes. tiger -- Gerald Timothy Quimpo tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph Public Key: gpg --keyserver pgp.mit.edu --recv-keys 672F4C78 Veritas liberabit vos. Doveryai no proveryai. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
