encryption with PHP and JS

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
TurboMC
Forum Newbie
Posts: 1
Joined: Tue Sep 24, 2002 11:39 am
Location: Vilnius

encryption with PHP and JS

Post by TurboMC »

In MySql database i keep passwords in encrypted form (md5()).

Is there any possibility to encrypt string with md5() before posting?

I don't want to send unencrypted password. Maybe JS would help me with this...

Thanks in advance
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

.md5 is not an encryption.
sending a md5-hashed key using it as password is not safer than sending a plain-text-key and using this as password.
Both are simple strings and valid as password if sniffed.

You may send a variable string to the client (the session-id will do). There the password is concatenated and the whole string is md5-hashed. This hash is transmitted back to the server that will compare the same string hashed against the transmitted one.

But therefor it is necessary to keep the user's password in a reversible form. You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.

The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection ;)

md5 as javascript is available at http://pajhome.org.uk/crypt/md5/.
There are also links to scripts providing the described login-system
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Dummy line to stop first chracter truncation of the quoted text....
volka wrote:.
You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.

The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection ;)
You only have to choose between host and clinet/net if you aren't using SSL. I think that's what you allude to in the second quoted paragraph, but I just wanted to make it clear.

Single-side PKI (server certs only, as commonly seen in SSL) gives you client/net security while still letting you keep passwords in hashed, (non-reversible) form.
sweahe
Forum Commoner
Posts: 52
Joined: Sat May 04, 2002 4:07 am
Location: Växjö, Sweden

Post by sweahe »

I do it like that... I send a random md5 hash to the client login page, then I md5 the password with javascript on the client side and then again once more md5 the password hash concatenated with the random hash and sending that to the server... then I look up the username in the DB, if the username is found it takes the password from the DB (which is stored as a md5 hash) and runs md5 on the hashed password and the same random hash as was sent to the client, then compare... if it match... you're logged in!

For maximum security I also have a key hash cookie on the client side and the same key in a session var... and every click the user does when logged in the cookie and the session var changes the key... so if someone spoofs the cookie, it would only be valid until the user clicks another link!

Add SSL to that and you have a pretty secure system... not 100% it can never be, but definitively better than most!

I hope someone understood... =)
/Andreas
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I would say that if you have SSL, you shouldn't bother with the javascript/client-side encrypting. You already have a secure pipe to communicate through.
williery10
Forum Newbie
Posts: 15
Joined: Thu Feb 20, 2003 4:23 am

re secure sockets

Post by williery10 »

I´m pretty new to securing sites, can you recommend any good reading material on SSL. I know it is a secure pipeline between the client and server but don´t know how to implement it, whether it is free or has be purchased, where to get it.
Cheers
Williery
Post Reply