Page 1 of 1

Transmitting passwords over the internet

Posted: Fri Dec 18, 2009 9:08 am
by scatty1985
Hi,

First of all I'm new to this site and am trying to teach myself PHP, Javascript and stuff like that so I'm pretty new to all of this!

I have a quick question to ask.

I'm playing about with security and wanted to know which was the most secure method of submitting data to a database, for example a password.

Obviously I dont want to transmit the plain text password over the internet so I'm using the a hash function to hash the password before storing it on a database.

I've come to realise there are two ways to do this. Either get PHP to hash the password before adding it to the database or get Javascript to hash the password before its sent using the POST or GET form method.

My understanding is as PHP is executed at the server, the password must first be transmitted over the internet in plain text before it is hashed. Therefore the most secure method is to hash the password using Javascript before its submitted.

Is this the case or am I misunderstood?

Thanks,

Scott

Re: Transmitting passwords over the internet

Posted: Fri Dec 18, 2009 9:14 am
by timWebUK
You must use SSL to transmit data securely. Hashing is used to store passwords securely, not for transmitting.

Re: Transmitting passwords over the internet

Posted: Fri Dec 18, 2009 9:17 am
by scatty1985
Ah ok I think I understand. Anyone could intercept the hashed passwrod as its transmitted and gain access.

Re: Transmitting passwords over the internet

Posted: Fri Dec 18, 2009 9:27 am
by VladSun
timWebUK wrote:You must use SSL to transmit data securely. Hashing is used to store passwords securely, not for transmitting.
In fact, one can implement a JS challenge-response authentication :)
This way only a hashed values of the password a user enters and the server challenge string is transmitted (no SSL)

Re: Transmitting passwords over the internet

Posted: Sat Dec 19, 2009 3:59 am
by kaisellgren
scatty1985 wrote:Anyone could intercept the hashed passwrod as its transmitted and gain access.
Indeed. That would be a replay attack.

You could use a JavaScript challenge-response system, but it's not perfect. It means that if your hash is made up of a secret filesystem key, it would have to be exposed for the system to work. Also, it's only useful against passive network attacks (eavesdropping), but not against active network attacks such as ARP Poisoning, IP source routing, DNS rebinding, STP mangling, Access Point Reassociation, etc. Using SSL/TLS is the best thing to do.

Personally, I would rather implement an asynchronous encryption with JavaScript than the traditional challenge-response system.

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 2:40 am
by scatty1985
How would I go about implementing asynchronous encryption with JavaScript? I have found this script but wouldnt I need something similar in php to decrypt the passwords on the server side?

Thanks

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 2:46 am
by Apollo
If you insist on implementing SSL's encryption functionality (well, effectively) by hand, then sure :)

But really, using SSL (https://) does just this - thoroughly tested and proven, and with signed certificates (as opposed to a random key in javascript which may be forged by a middle man).

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 3:40 am
by scatty1985
Im not really looking at using SSL as it cost £££ :P but I am just playing about with different security concepts to try and learn some stuff! :D

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 4:53 am
by VladSun
Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 5:01 am
by kaisellgren
scatty1985 wrote:How would I go about implementing asynchronous encryption with JavaScript? I have found [url=<a class="linkclass" href="http://www.hanewin.net/encrypt/aes/aes.htm]this">http://www.hanewin.net/encrypt/aes/aes.htm]this</a> script[/url]
An asymmetric encryption, not an asynchronous. AES is symmetric, so, it gives us nothing here. You could take a look at RSA and implement it on PHP+JS.

But remember that SSL/TLS encryption is necessary if you wish to prevent active network attacks.
VladSun wrote:
Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.
Actually, the whole initial page could be an altered version by the intruder and send the credentials in plain-text to him through a proxy and nobody notices anything.

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 10:18 am
by VladSun
kaisellgren wrote:
VladSun wrote:
Apollo wrote:... as opposed to a random key in javascript which may be forged by a middle man...
That won't reveal the user password, nor it will give access to the site. Well, it really depends on the particular implementation (both client and server side), but if it's done properly, the attacker wont' get any success.
Actually, the whole initial page could be an altered version by the intruder and send the credentials in plain-text to him through a proxy and nobody notices anything.
It's clear that if one is in position to change content, then SSL is the solution. But if one can only observe your traffic, then that could be in help.

PS: In fact, I am not sure that SSL is a solution either - that's because *END*-users are involved :P

Re: Transmitting passwords over the internet

Posted: Sun Dec 20, 2009 11:14 am
by kaisellgren
VladSun wrote:It's clear that if one is in position to change content, then SSL is the solution. But if one can only observe your traffic, then that could be in help.
That's the different between active and passive network attacks.
VladSun wrote:PS: In fact, I am not sure that SSL is a solution either - that's because *END*-users are involved :P
Are you referring to situations where users don't load pages in SSL, or go to wrong website (phishing), etc?