Home Grown Authentication Method - Secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
pdoersch
Forum Newbie
Posts: 12
Joined: Sun Mar 06, 2005 1:09 pm

Home Grown Authentication Method - Secure?

Post by pdoersch »

I came up with my own "home grown" security method, but a little bit of math is required to at least understand this. It only has one user as it is, but several could be worked into it. The general idea is that the server sends a random number to the client. The user puts in the passNUMBER which is a big prime. Then the magic...

( passNumber mod rand# ) -> temporaryPassnumber

temporaryPassnumber gets sent to server, which does the same math on its side, and if they get the same answer, then your in

any bad guy could easily find the rand# and the tempPass, but they couldn't do anything with them anymore, and there would be infinite solutions when they try to find the origional pass number. The origional passnumber is not sent through the internet, and one cant work backwards to find it. Now the random number had to be around 1000 to 100000 within reason, and the passnumber i have is a 9-digit prime. This isn't simplifyed, so it will probably take some thinking to figure out.

Code: Select all

if ($_GET['search'] == 'edit a file') {
        echo "<font size='2' color='#494949'>You are not supposed to be here. Please change your search. If you think this is a problem, please send an email to  <a href='mailto:ouremail@address.foo'><font color='#1255b6'>ouremail@address.foo</a></font>.<br/><br/>";
        echo "<font size='2' color='#494949'><form action='ymagazine.php' method='POST'>
            file: <input type='text' name='file' /><br/><br/>
            <input type='submit' />
            <input type='hidden' name='op' value='edit' />
            </form></font>";
    }
    else if ($_POST['op'] == 'edit') {
        $file = $_POST['file'];
        if (preg_match("/[^0-9]/", $file) && $file != "1main.txt") {
            echo "<font size='2' color='#494949'>Sorry, Invalid File Name</font>";
        } else {
            $f = fopen($file, "r");
            echo "
                <script type='text/javascript'>
                function myfunction(){
                var getrand = document.security.rand.value
                var passnumber = document.passnumber.passnumber.value
                var ans = passnumber%getrand
                document.security.send.value = ans
                document.security.rand.value = 'erased'
                document.passnumber.passnumber.value = 'erased'
                }
                </script>
                <font size='2' color='#494949'><form action='ymagazine.php' method='POST' name='security' onSubmit='myfunction()' >
                Content: <br/><textarea name='content' cols='60' rows='20' value=''>";
            while (!feof($f)) {
                $x = fgets($f);
                echo $x;
            }
            $rand = rand(1001, 10001);
            $g = fopen("randomnumber", "w");
            $write = fwrite($g, $rand);
            echo "</textarea><br/><br/>
                <input type='submit' value='Submit' />
                <input type='hidden' name='rand' value='" . $rand . "'><br/>
                <input type='hidden' name='send' value=''>
                <input type='hidden' name='op' value='save' />
                <input type='hidden' name='file' value='" . $file . "' />
                </form>
                <form name='passnumber'>
                Password: <input type='text' name='passnumber' value=''><br/>
                </form>
                </font>";
        }
    }
    else if ($_POST['op'] == 'save') {
        $file = $_POST['file'];
        $content = stripslashes($_POST['content']);
        $send = $_POST['send'];
        $g = fopen("randomnumber", "r");
        $rand = str_replace("\n", "", fgets($g));
        $correct = (#########%$rand);
        if (preg_match("/[^0-9]/", $file) && $file != "1main.txt") {
            echo "<font size='2' color='#494949'>Sorry, Invalid File Name</font>";
        }
        else if ($correct == $send) {
            $f = fopen($file , "w" );
            fwrite($f, $content);
            echo "<font size='2' color='#494949'>The file has been edited.</font>";
        } else {
            echo "<font size='2' color='#494949'>Sorry, Security Issue</font>";
        }
        $rand = rand(1001, 10001);
        $g = fopen("randomnumber", "w");
        $write = fwrite($g, $rand);
    }

feyd | Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Before I even took a look at the security method, a word of warning: with "home grown" security methods, they are almost always insecure. You should always use some sort of already reviewed method.

Second of all, as it stands (from my understanding) the password has to be a number. I'm sure quite a few people won't be appreciative of that.

Third, the use of JavaScript potentially locks anyone out who doesn't use javascript.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

knowing the random number and the temporary pass, plus the keyword prime, will generally give the exact pass needed. If some statistics are kept, the number can be zeroed in on fairly easily at any rate.

People have a hard enough time remembering their own phone number or social security number.. having them try to remember a 9 or more digit number is asking a bit much.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

This sounds similar to a challenge/response authentication system. Is that what you were out to do?

In c/r server and client both generate an ever shifting hash that must be identical to authenticate the user. The hash is usually on concatentation of user:passwd(hashed):challenge(sent by server).

Hashing from client is provided by javascript. Challenge is random, and expires pretty quickly.

End result is that a shifting hash is sent over the wire - no in the clear password.
pdoersch
Forum Newbie
Posts: 12
Joined: Sun Mar 06, 2005 1:09 pm

Post by pdoersch »

Yes, that is basically what i wanted to do. The server sends a number to be modified, the user uses his or her passnumber to modify it, and send the result back. No clear password sent through internet. Sence this post, I have implemented a larger prime(still 9 digits but about 4 times bigger) and then i converted it to base 36 (all digits and letters) so the user only has to type about 5 letters and numbers. The computer does the rest. As for javascript, doesn't prettymuch everyone have and use it? What other options do I have for client side computations? And it is true that eventually, with enough pairs of randomnumbers, and sent(modifyed numbers) the list of reasonably sized passnumbers could be lowerd enough to test, but i don't know how many pairs it would take, or how much computing time. I tried some simple experiments in excel, which was usless, excell couldn't handle the lists i passed it from perlscript. Any way you guys know to test this without writing a perlscript to do the whole thing?
Post Reply