In MySql database i keep passwords in encrypted form (md5()).
Is there any possibility to encrypt string with md5() before posting?
I don't want to send unencrypted password. Maybe JS would help me with this...
Thanks in advance
encryption with PHP and JS
Moderator: General Moderators
.md5 is not an encryption.
sending a md5-hashed key using it as password is not safer than sending a plain-text-key and using this as password.
Both are simple strings and valid as password if sniffed.
You may send a variable string to the client (the session-id will do). There the password is concatenated and the whole string is md5-hashed. This hash is transmitted back to the server that will compare the same string hashed against the transmitted one.
But therefor it is necessary to keep the user's password in a reversible form. You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.
The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection
md5 as javascript is available at http://pajhome.org.uk/crypt/md5/.
There are also links to scripts providing the described login-system
sending a md5-hashed key using it as password is not safer than sending a plain-text-key and using this as password.
Both are simple strings and valid as password if sniffed.
You may send a variable string to the client (the session-id will do). There the password is concatenated and the whole string is md5-hashed. This hash is transmitted back to the server that will compare the same string hashed against the transmitted one.
But therefor it is necessary to keep the user's password in a reversible form. You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.
The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection
md5 as javascript is available at http://pajhome.org.uk/crypt/md5/.
There are also links to scripts providing the described login-system
Dummy line to stop first chracter truncation of the quoted text....
Single-side PKI (server certs only, as commonly seen in SSL) gives you client/net security while still letting you keep passwords in hashed, (non-reversible) form.
You only have to choose between host and clinet/net if you aren't using SSL. I think that's what you allude to in the second quoted paragraph, but I just wanted to make it clear.volka wrote:.
You have to choose between host-security (md5-hashed passwords stored in db) or client/net-side security.
The next step would be a public-key-encryption but this you better leave to other mechanisms encapsulating the http-connection![]()
Single-side PKI (server certs only, as commonly seen in SSL) gives you client/net security while still letting you keep passwords in hashed, (non-reversible) form.
I do it like that... I send a random md5 hash to the client login page, then I md5 the password with javascript on the client side and then again once more md5 the password hash concatenated with the random hash and sending that to the server... then I look up the username in the DB, if the username is found it takes the password from the DB (which is stored as a md5 hash) and runs md5 on the hashed password and the same random hash as was sent to the client, then compare... if it match... you're logged in!
For maximum security I also have a key hash cookie on the client side and the same key in a session var... and every click the user does when logged in the cookie and the session var changes the key... so if someone spoofs the cookie, it would only be valid until the user clicks another link!
Add SSL to that and you have a pretty secure system... not 100% it can never be, but definitively better than most!
I hope someone understood... =)
/Andreas
For maximum security I also have a key hash cookie on the client side and the same key in a session var... and every click the user does when logged in the cookie and the session var changes the key... so if someone spoofs the cookie, it would only be valid until the user clicks another link!
Add SSL to that and you have a pretty secure system... not 100% it can never be, but definitively better than most!
I hope someone understood... =)
/Andreas
-
williery10
- Forum Newbie
- Posts: 15
- Joined: Thu Feb 20, 2003 4:23 am
re secure sockets
I´m pretty new to securing sites, can you recommend any good reading material on SSL. I know it is a secure pipeline between the client and server but don´t know how to implement it, whether it is free or has be purchased, where to get it.
Cheers
Williery
Cheers
Williery