Transmitting passwords over the internet
Moderator: General Moderators
-
scatty1985
- Forum Newbie
- Posts: 24
- Joined: Fri Dec 18, 2009 8:57 am
Transmitting passwords over the internet
Hi,
First of all I'm new to this site and am trying to teach myself PHP, Javascript and stuff like that so I'm pretty new to all of this!
I have a quick question to ask.
I'm playing about with security and wanted to know which was the most secure method of submitting data to a database, for example a password.
Obviously I dont want to transmit the plain text password over the internet so I'm using the a hash function to hash the password before storing it on a database.
I've come to realise there are two ways to do this. Either get PHP to hash the password before adding it to the database or get Javascript to hash the password before its sent using the POST or GET form method.
My understanding is as PHP is executed at the server, the password must first be transmitted over the internet in plain text before it is hashed. Therefore the most secure method is to hash the password using Javascript before its submitted.
Is this the case or am I misunderstood?
Thanks,
Scott
First of all I'm new to this site and am trying to teach myself PHP, Javascript and stuff like that so I'm pretty new to all of this!
I have a quick question to ask.
I'm playing about with security and wanted to know which was the most secure method of submitting data to a database, for example a password.
Obviously I dont want to transmit the plain text password over the internet so I'm using the a hash function to hash the password before storing it on a database.
I've come to realise there are two ways to do this. Either get PHP to hash the password before adding it to the database or get Javascript to hash the password before its sent using the POST or GET form method.
My understanding is as PHP is executed at the server, the password must first be transmitted over the internet in plain text before it is hashed. Therefore the most secure method is to hash the password using Javascript before its submitted.
Is this the case or am I misunderstood?
Thanks,
Scott
Re: Transmitting passwords over the internet
You must use SSL to transmit data securely. Hashing is used to store passwords securely, not for transmitting.
-
scatty1985
- Forum Newbie
- Posts: 24
- Joined: Fri Dec 18, 2009 8:57 am
Re: Transmitting passwords over the internet
Ah ok I think I understand. Anyone could intercept the hashed passwrod as its transmitted and gain access.
Re: Transmitting passwords over the internet
In fact, one can implement a JS challenge-response authenticationtimWebUK wrote:You must use SSL to transmit data securely. Hashing is used to store passwords securely, not for transmitting.
This way only a hashed values of the password a user enters and the server challenge string is transmitted (no SSL)
There are 10 types of people in this world, those who understand binary and those who don't
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Transmitting passwords over the internet
Indeed. That would be a replay attack.scatty1985 wrote:Anyone could intercept the hashed passwrod as its transmitted and gain access.
You could use a JavaScript challenge-response system, but it's not perfect. It means that if your hash is made up of a secret filesystem key, it would have to be exposed for the system to work. Also, it's only useful against passive network attacks (eavesdropping), but not against active network attacks such as ARP Poisoning, IP source routing, DNS rebinding, STP mangling, Access Point Reassociation, etc. Using SSL/TLS is the best thing to do.
Personally, I would rather implement an asynchronous encryption with JavaScript than the traditional challenge-response system.
-
scatty1985
- Forum Newbie
- Posts: 24
- Joined: Fri Dec 18, 2009 8:57 am
Re: Transmitting passwords over the internet
How would I go about implementing asynchronous encryption with JavaScript? I have found this script but wouldnt I need something similar in php to decrypt the passwords on the server side?
Thanks
Thanks
Re: Transmitting passwords over the internet
If you insist on implementing SSL's encryption functionality (well, effectively) by hand, then sure 
But really, using SSL (https://) does just this - thoroughly tested and proven, and with signed certificates (as opposed to a random key in javascript which may be forged by a middle man).
But really, using SSL (https://) does just this - thoroughly tested and proven, and with signed certificates (as opposed to a random key in javascript which may be forged by a middle man).
-
scatty1985
- Forum Newbie
- Posts: 24
- Joined: Fri Dec 18, 2009 8:57 am
Re: Transmitting passwords over the internet
Im not really looking at using SSL as it cost £££
but I am just playing about with different security concepts to try and learn some stuff! 
Re: Transmitting passwords over the internet
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
There are 10 types of people in this world, those who understand binary and those who don't
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Transmitting passwords over the internet
An asymmetric encryption, not an asynchronous. AES is symmetric, so, it gives us nothing here. You could take a look at RSA and implement it on PHP+JS.scatty1985 wrote:How would I go about implementing asynchronous encryption with JavaScript? I have found [url=<a class="linkclass" href="http://www.hanewin.net/encrypt/aes/aes.htm]this">http://www.hanewin.net/encrypt/aes/aes.htm]this</a> script[/url]
But remember that SSL/TLS encryption is necessary if you wish to prevent active network attacks.
Actually, the whole initial page could be an altered version by the intruder and send the credentials in plain-text to him through a proxy and nobody notices anything.VladSun wrote:That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
Re: Transmitting passwords over the internet
It's clear that if one is in position to change content, then SSL is the solution. But if one can only observe your traffic, then that could be in help.kaisellgren wrote:Actually, the whole initial page could be an altered version by the intruder and send the credentials in plain-text to him through a proxy and nobody notices anything.VladSun wrote:That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
PS: In fact, I am not sure that SSL is a solution either - that's because *END*-users are involved
There are 10 types of people in this world, those who understand binary and those who don't
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Transmitting passwords over the internet
That's the different between active and passive network attacks.VladSun wrote:It's clear that if one is in position to change content, then SSL is the solution. But if one can only observe your traffic, then that could be in help.
Are you referring to situations where users don't load pages in SSL, or go to wrong website (phishing), etc?VladSun wrote:PS: In fact, I am not sure that SSL is a solution either - that's because *END*-users are involved