Page 1 of 1
encryption with PHP and JS
Posted: Tue Sep 24, 2002 11:39 am
by TurboMC
In MySql database i keep passwords in encrypted form (md5()).
Is there any possibility to encrypt string with md5() before posting?
I don't want to send unencrypted password. Maybe JS would help me with this...
Thanks in advance
Posted: Tue Sep 24, 2002 5:24 pm
by volka
.md5 is not an encryption.
sending a md5-hashed key using it as password is not safer than sending a plain-text-key and using this as password.
Both are simple strings and valid as password if sniffed.
You may send a variable string to the client (the session-id will do). There the password is concatenated and the whole string is md5-hashed. This hash is transmitted back to the server that will compare the same string hashed against the transmitted one.
But therefor it is necessary to keep the user's password in a reversible form. You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.
The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection
md5 as javascript is available at
http://pajhome.org.uk/crypt/md5/.
There are also links to scripts providing the described login-system
Posted: Tue Sep 24, 2002 5:42 pm
by nielsene
Dummy line to stop first chracter truncation of the quoted text....
volka wrote:.
You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.
The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection
You only have to choose between host and clinet/net if you aren't using SSL. I think that's what you allude to in the second quoted paragraph, but I just wanted to make it clear.
Single-side PKI (server certs only, as commonly seen in SSL) gives you client/net security while still letting you keep passwords in hashed, (non-reversible) form.
Posted: Wed Oct 09, 2002 5:36 pm
by sweahe
I do it like that... I send a random md5 hash to the client login page, then I md5 the password with javascript on the client side and then again once more md5 the password hash concatenated with the random hash and sending that to the server... then I look up the username in the DB, if the username is found it takes the password from the DB (which is stored as a md5 hash) and runs md5 on the hashed password and the same random hash as was sent to the client, then compare... if it match... you're logged in!
For maximum security I also have a key hash cookie on the client side and the same key in a session var... and every click the user does when logged in the cookie and the session var changes the key... so if someone spoofs the cookie, it would only be valid until the user clicks another link!
Add SSL to that and you have a pretty secure system... not 100% it can never be, but definitively better than most!
I hope someone understood... =)
/Andreas
Posted: Thu Oct 10, 2002 11:06 am
by nielsene
I would say that if you have SSL, you shouldn't bother with the javascript/client-side encrypting. You already have a secure pipe to communicate through.
re secure sockets
Posted: Sat Mar 29, 2003 5:38 am
by williery10
I´m pretty new to securing sites, can you recommend any good reading material on SSL. I know it is a secure pipeline between the client and server but don´t know how to implement it, whether it is free or has be purchased, where to get it.
Cheers
Williery