PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Jul 09, 2020 11:02 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Mar 13, 2005 6:16 pm 
Offline
Forum Newbie

Joined: Sun Mar 06, 2005 2:09 pm
Posts: 12
I came up with my own "home grown" security method, but a little bit of math is required to at least understand this. It only has one user as it is, but several could be worked into it. The general idea is that the server sends a random number to the client. The user puts in the passNUMBER which is a big prime. Then the magic...

( passNumber mod rand# ) -> temporaryPassnumber

temporaryPassnumber gets sent to server, which does the same math on its side, and if they get the same answer, then your in

any bad guy could easily find the rand# and the tempPass, but they couldn't do anything with them anymore, and there would be infinite solutions when they try to find the origional pass number. The origional passnumber is not sent through the internet, and one cant work backwards to find it. Now the random number had to be around 1000 to 100000 within reason, and the passnumber i have is a 9-digit prime. This isn't simplifyed, so it will probably take some thinking to figure out.

Syntax: [ Download ] [ Hide ]
if ($_GET['search'] == 'edit a file') {

        echo "<font size='2' color='#494949'>You are not supposed to be here. Please change your search. If you think this is a problem, please send an email to  <a href='mailto:ouremail@address.foo'><font color='#1255b6'>ouremail@address.foo</a></font>.<br/><br/>";

        echo "<font size='2' color='#494949'><form action='ymagazine.php' method='POST'>

            file: <input type='text' name='file' /><br/><br/>

            <input type='submit' />

            <input type='hidden' name='op' value='edit' />

            </form></font>"
;

    }

    else if ($_POST['op'] == 'edit') {

        $file = $_POST['file'];

        if (preg_match("/[^0-9]/", $file) && $file != "1main.txt") {

            echo "<font size='2' color='#494949'>Sorry, Invalid File Name</font>";

        } else {

            $f = fopen($file, "r");

            echo "

                <script type='text/javascript'>

                function myfunction(){

                var getrand = document.security.rand.value

                var passnumber = document.passnumber.passnumber.value

                var ans = passnumber%getrand

                document.security.send.value = ans

                document.security.rand.value = 'erased'

                document.passnumber.passnumber.value = 'erased'

                }

                </script>

                <font size='2' color='#494949'><form action='ymagazine.php' method='POST' name='security' onSubmit='myfunction()' >

                Content: <br/><textarea name='content' cols='60' rows='20' value=''>"
;

            while (!feof($f)) {

                $x = fgets($f);

                echo $x;

            }

            $rand = rand(1001, 10001);

            $g = fopen("randomnumber", "w");

            $write = fwrite($g, $rand);

            echo "</textarea><br/><br/>

                <input type='submit' value='Submit' />

                <input type='hidden' name='rand' value='"
. $rand . "'><br/>

                <input type='hidden' name='send' value=''>

                <input type='hidden' name='op' value='save' />

                <input type='hidden' name='file' value='"
. $file . "' />

                </form>

                <form name='passnumber'>

                Password: <input type='text' name='passnumber' value=''><br/>

                </form>

                </font>"
;

        }

    }

    else if ($_POST['op'] == 'save') {

        $file = $_POST['file'];

        $content = stripslashes($_POST['content']);

        $send = $_POST['send'];

        $g = fopen("randomnumber", "r");

        $rand = str_replace("\n", "", fgets($g));

        $correct = (#########%$rand);

        if (preg_match("/[^0-9]/", $file) && $file != "1main.txt") {

            echo "<font size='2' color='#494949'>Sorry, Invalid File Name</font>";

        }

        else if ($correct == $send) {

            $f = fopen($file , "w" );

            fwrite($f, $content);

            echo "<font size='2' color='#494949'>The file has been edited.</font>";

        } else {

            echo "<font size='2' color='#494949'>Sorry, Security Issue</font>";

        }

        $rand = rand(1001, 10001);

        $g = fopen("randomnumber", "w");

        $write = fwrite($g, $rand);

    }



feyd | Please use
Syntax: [ Download ] [ Hide ]
and
Syntax: [ Download ] [ Hide ]
tags where approriate when posting code. Read:  </span>


Top
 Profile  
 
 Post subject:
PostPosted: Sun Mar 13, 2005 7:10 pm 
Offline
DevNet Master
User avatar

Joined: Mon Oct 25, 2004 9:29 pm
Posts: 3698
Location: New Jersey, US
Before I even took a look at the security method, a word of warning: with "home grown" security methods, they are almost always insecure. You should always use some sort of already reviewed method.

Second of all, as it stands (from my understanding) the password has to be a number. I'm sure quite a few people won't be appreciative of that.

Third, the use of JavaScript potentially locks anyone out who doesn't use javascript.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Mar 13, 2005 7:31 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
knowing the random number and the temporary pass, plus the keyword prime, will generally give the exact pass needed. If some statistics are kept, the number can be zeroed in on fairly easily at any rate.

People have a hard enough time remembering their own phone number or social security number.. having them try to remember a 9 or more digit number is asking a bit much.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 14, 2005 5:06 am 
Offline
DevNet Master
User avatar

Joined: Tue Nov 02, 2004 6:43 am
Posts: 2704
Location: Ireland
This sounds similar to a challenge/response authentication system. Is that what you were out to do?

In c/r server and client both generate an ever shifting hash that must be identical to authenticate the user. The hash is usually on concatentation of user:passwd(hashed):challenge(sent by server).

Hashing from client is provided by javascript. Challenge is random, and expires pretty quickly.

End result is that a shifting hash is sent over the wire - no in the clear password.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Mar 26, 2005 7:07 pm 
Offline
Forum Newbie

Joined: Sun Mar 06, 2005 2:09 pm
Posts: 12
Yes, that is basically what i wanted to do. The server sends a number to be modified, the user uses his or her passnumber to modify it, and send the result back. No clear password sent through internet. Sence this post, I have implemented a larger prime(still 9 digits but about 4 times bigger) and then i converted it to base 36 (all digits and letters) so the user only has to type about 5 letters and numbers. The computer does the rest. As for javascript, doesn't prettymuch everyone have and use it? What other options do I have for client side computations? And it is true that eventually, with enough pairs of randomnumbers, and sent(modifyed numbers) the list of reasonably sized passnumbers could be lowerd enough to test, but i don't know how many pairs it would take, or how much computing time. I tried some simple experiments in excel, which was usless, excell couldn't handle the lists i passed it from perlscript. Any way you guys know to test this without writing a perlscript to do the whole thing?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group