Page 1 of 1
javascript encription and php decription
Posted: Mon Sep 26, 2011 5:20 pm
by elim
I'm looking for the solution of secure login without ssl. And I think the following idea should be reasonable:
using a randomly generated key (maybe depend to current time and some custom logic) and javascript to
encript the password and send the result to server.
in server php script, using the same key to decript the pass into the user entered pass text and verify it
against mysql user account.
Is there already some implementation of this idea with free license? Thanks a lot
Re: javascript encription and php decription
Posted: Mon Sep 26, 2011 6:52 pm
by Eric!
jCryption. But it is not as secure or as good as SSL.
Here's a
good discussion about it.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 12:46 am
by Mordred
You can't replace SSL with javascript encryption, SSL is about protecting the whole stream and you will not get a "secure" login with any javascript crypto (by the same definition for "secure" you will get with SSL/TLS)
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 6:49 am
by Eric!
I'm just guessing here, but I think he wants something totally free and silent just to encrypt his passwords over the internet. As opposed to the scary "This Connection is Untrusted" warning you get with a free self-signed SSL cert.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 7:01 am
by Mordred
The point is, you either do it with SSL or you don't do it at all. There's little room for middle ground here, can't be done.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 7:41 am
by Eric!
Can you help me understand why? I don't know much about encryption weaknesses. If you're just doing an RSA encryption (like jCryption) of the password you certainly aren't going to be protecting anything else on the log-in page like the session data, but would the password itself be any less secure?
I know it's not standard, but paying for a ssl cert is out of the budget for many people and the cert warnings scare people away completely. So I'm sympathetic to the jCryption idea.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 7:57 am
by Mordred
The problem is not in the crypto itself, it's in the environment. Security is only as strong as the weakest link in the chain. Here's a parable:
Alice has an account on
http://bob.com (no SSL)
Normally, Alice goes to bob.com, which serves a login page, Alice's browser does the crypto and she logins "securely".
Now consider Mallory who sits in the middle between Alice and bob.com
He impersonates bob.com, sends Alice a login page with disabled or weakened crypto, then uses the captured credentials to impersonate Alice in front of bob.com
So the crypto library (assuming it's securely implemented) works in general (with no Mallory), but not in the very case it's supposed to be doing its job!
P.S. I just read the previous discussion you mentioned. I think Kai missed the point there and went a bit overboard with the "secure against eavesdropping" part. So did the author of jCryption btw. With no SSL it
can't be done, period.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 8:25 am
by Eric!
Thanks. I get it. So the man-in-the-middle swaps out the java encryption code in a way that allows the client to submit the password as plain text say by posting the plaintext as an extra variable during submission.
I've seen a lot of talk about MITM problems with SSL too. Are you implying that the time and energy poured into SSL weaknesses makes it much more secure than some undetectable swapped out javascript? So for people who know next to nothing about real encryption should just stick with it? The only problem with SSL is the cost because the warnings for free certs (and the lower security level without authentication) are big downsides making it unusable in many cases.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 8:31 am
by Mordred
There are no MITM problems with SSL, unless:
- A certificate authority has been compromised (there were several such cases in the last couple of years)
- It is a self-signed certificate
Self-signed certificates should be used only for testing. If you see a cert warning YOU ARE NOT SECURE, because you can't tell if the certificate comes from bob.com or from Mallory -- this is exactly why there are certificate authorities.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 9:19 am
by Eric!
Well, there is the
compelled certificate creation attack. I don't know that much about it, but it seems to be a big SSL MITM problem. Of course this attack is only available to state authorities.
Doesn't it seem crazy there is there no free way to secure a http connection? What if there was a browser plug-in that performed the encryption instead of javascript? I do understand the complexities behind security but it seems pgp style encryption has been around for a long time yet SSL seems to be all we have and it is expensive.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 9:32 am
by Mordred
Reading the paper (or at least the abstract) will maybe clear things for you a bit. It's no different than a compromise of the CA chain, point one in my short list above.
The current CA trust chain has problems on its own level, but the practical problems so far seem to be pointed at political uses of the broken trust, not commercial. So using TLS for commerce is fine.
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 9:44 am
by Eric!
I'm not arguing with your points at all. I agree, it seems there is no limit to why or how the CA can be faked (commercial or political) if you are a government authority. Even worse however is CNNIC becoming a CA authority so who knows what is compromised there. Some kind of free, but secure alternative has to be out there (assuming it's legal, which might be the limiting problem since the government can't break it easily).
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 10:51 am
by elim
Thanks Eric! and Mordred. I learned a lot through your discussion.
Yes I just like to find something free since the project I'm working on is for free to an org.
I think many sites with no SSL for reasons, if the data have nothing to do with real private info etc, why bother using SSL?
Depends on admin or the IT leader, this time I just need to do something about login security. And I believe jCryption is good enough to satisfy them.
From software architecture point of view, SSL is definitely the best for the internet security.
For some reason, I tried jCryption ok for window servers but not for the Linux server...
Re: javascript encription and php decription
Posted: Tue Sep 27, 2011 2:27 pm
by Eric!
elim wrote:For some reason, I tried jCryption ok for window servers but not for the Linux server...
I would guess it might have more to do with the apache/php version or libraries on the server. You need libbcmath also the jQuery needs to be 1.4.2 or newer.
Here's
another javascript encryption scheme that includes rsa binding. It is a multi-prime RSA scheme which speeds it up, one of the big complaints with jCryption, but isn't as secure.