Transmitting passwords over the internet

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
scatty1985
Forum Newbie
Posts: 24
Joined: Fri Dec 18, 2009 8:57 am

Transmitting passwords over the internet

Post by scatty1985 »

Hi,

First of all I'm new to this site and am trying to teach myself PHP, Javascript and stuff like that so I'm pretty new to all of this!

I have a quick question to ask.

I'm playing about with security and wanted to know which was the most secure method of submitting data to a database, for example a password.

Obviously I dont want to transmit the plain text password over the internet so I'm using the a hash function to hash the password before storing it on a database.

I've come to realise there are two ways to do this. Either get PHP to hash the password before adding it to the database or get Javascript to hash the password before its sent using the POST or GET form method.

My understanding is as PHP is executed at the server, the password must first be transmitted over the internet in plain text before it is hashed. Therefore the most secure method is to hash the password using Javascript before its submitted.

Is this the case or am I misunderstood?

Thanks,

Scott
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Transmitting passwords over the internet

Post by timWebUK »

You must use SSL to transmit data securely. Hashing is used to store passwords securely, not for transmitting.
scatty1985
Forum Newbie
Posts: 24
Joined: Fri Dec 18, 2009 8:57 am

Re: Transmitting passwords over the internet

Post by scatty1985 »

Ah ok I think I understand. Anyone could intercept the hashed passwrod as its transmitted and gain access.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Transmitting passwords over the internet

Post by VladSun »

timWebUK wrote:You must use SSL to transmit data securely. Hashing is used to store passwords securely, not for transmitting.
In fact, one can implement a JS challenge-response authentication :)
This way only a hashed values of the password a user enters and the server challenge string is transmitted (no SSL)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Transmitting passwords over the internet

Post by kaisellgren »

scatty1985 wrote:Anyone could intercept the hashed passwrod as its transmitted and gain access.
Indeed. That would be a replay attack.

You could use a JavaScript challenge-response system, but it's not perfect. It means that if your hash is made up of a secret filesystem key, it would have to be exposed for the system to work. Also, it's only useful against passive network attacks (eavesdropping), but not against active network attacks such as ARP Poisoning, IP source routing, DNS rebinding, STP mangling, Access Point Reassociation, etc. Using SSL/TLS is the best thing to do.

Personally, I would rather implement an asynchronous encryption with JavaScript than the traditional challenge-response system.
scatty1985
Forum Newbie
Posts: 24
Joined: Fri Dec 18, 2009 8:57 am

Re: Transmitting passwords over the internet

Post by scatty1985 »

How would I go about implementing asynchronous encryption with JavaScript? I have found this script but wouldnt I need something similar in php to decrypt the passwords on the server side?

Thanks
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Transmitting passwords over the internet

Post by Apollo »

If you insist on implementing SSL's encryption functionality (well, effectively) by hand, then sure :)

But really, using SSL (https://) does just this - thoroughly tested and proven, and with signed certificates (as opposed to a random key in javascript which may be forged by a middle man).
scatty1985
Forum Newbie
Posts: 24
Joined: Fri Dec 18, 2009 8:57 am

Re: Transmitting passwords over the internet

Post by scatty1985 »

Im not really looking at using SSL as it cost £££ :P but I am just playing about with different security concepts to try and learn some stuff! :D
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Transmitting passwords over the internet

Post by VladSun »

Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Transmitting passwords over the internet

Post by kaisellgren »

scatty1985 wrote:How would I go about implementing asynchronous encryption with JavaScript? I have found [url=<a class="linkclass" href="http://www.hanewin.net/encrypt/aes/aes.htm]this">http://www.hanewin.net/encrypt/aes/aes.htm]this</a> script[/url]
An asymmetric encryption, not an asynchronous. AES is symmetric, so, it gives us nothing here. You could take a look at RSA and implement it on PHP+JS.

But remember that SSL/TLS encryption is necessary if you wish to prevent active network attacks.
VladSun wrote:
Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.
Actually, the whole initial page could be an altered version by the intruder and send the credentials in plain-text to him through a proxy and nobody notices anything.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Transmitting passwords over the internet

Post by VladSun »

kaisellgren wrote:
VladSun wrote:
Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.
Actually, the whole initial page could be an altered version by the intruder and send the credentials in plain-text to him through a proxy and nobody notices anything.
It's clear that if one is in position to change content, then SSL is the solution. But if one can only observe your traffic, then that could be in help.

PS: In fact, I am not sure that SSL is a solution either - that's because *END*-users are involved :P
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Transmitting passwords over the internet

Post by kaisellgren »

VladSun wrote:It's clear that if one is in position to change content, then SSL is the solution. But if one can only observe your traffic, then that could be in help.
That's the different between active and passive network attacks.
VladSun wrote:PS: In fact, I am not sure that SSL is a solution either - that's because *END*-users are involved :P
Are you referring to situations where users don't load pages in SSL, or go to wrong website (phishing), etc?
Post Reply