Solved

Using PKCS (private-public key) encryption with PHP and Javascript.

Posted on 2004-08-26
9
909 Views
Last Modified: 2012-06-27
Hi All,

I've read around a fair bit of security pages.
On PHP i found this function:
http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php
and on Javascript (not related becase its not pks):
http://www.fourmilab.ch/javascrypt/

Is there a way to encrypt a password sent from a browser using a public key (not signed, just generated) with Javascript and then dechipher the password using a private key on the server with PHP?

That would save a lot of hassles for someone trying to sniff a connection...
Any one know anything even related?
0
Comment
Question by:kalmen
  • 6
  • 2
9 Comments
 
LVL 32

Accepted Solution

by:
ldbkutty earned 400 total points
ID: 11902459
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903079
To be honest, that was exactly what I was looking for. If no one else posts anything more intereting, I'll give you all the credit.

Thanks mate.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903106
Would you know anything does does with private key public key encryption? in the same fashion as the above document?
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11903121
> That would save a lot of hassles for someone trying to sniff a connection...

You're already protected against this if you just use SSL, so why not just use that? Attempting to reconstruct SSL via Javascript and PHP may be laudable, but it's making a lot of work for yourself. The only downside I can see that remains is that it doesn't obfuscate URLs, but I suspect that a clever proxy server would be a better route, something like anonymizer.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903280
You're right.
It's really for the simple fact that I can't use SSL with the setup I have, actually, its impossible.
I am currently encrypting my passwords using SHA1 or MD5 on the browser and sending it that way.
http://pajhome.org.uk/crypt/md5/index.html
The only advantage is no one can know your password if sniffing, but they can still get in without knowing. I know a bank that asks questions like, "what's the second letter in your firstname with the third letter of your email address, etc. and these keep changing, but it won't be that convinient for a general login screen i guess.
Or something like a two stage login, first the normal, and then the validation question...etc... like the above.

If there was only a playaround that would prevent a sniffer for getting a user account... My problem is, everything I think of, I can break...

If there was a way to encrypt a password with a public key in Javascript (I know its nearly impossible) and decrypt it with PHP and a private key, that would be awesome.

One final thing that came to my mind, is a image generator that generates a random text but in an image which can't be seen by sniffing), so the user would have to enter it with the password... or it could be used as a key for the above encryption. that way, the sniffer would never be able to replicate a login.


0
 
LVL 1

Author Comment

by:kalmen
ID: 11903296
And by the way, the text would be generated everytime the login page loads and stored in a session variable when when a login is submitted, the key in the session would be used.

0
 
LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 100 total points
ID: 11903951
How about authenticating via a separate server that does have SSL? Then pass a secure session token between the two servers - that way the token would never have to be transferred in the clear to or from the client. The only hassle here is that you'd need to set a secure cookie from a domain other than the target one, which many browsers would block.

The bank thing you mentioned is deliberately designed to thwart replay attacks. It's really an alternative way of presenting a challenge/response authentication scheme.

I don't think you should really take the security too seriously if you can't do SSL - if it was really that big a problem, then SSL would not be!
0
 
LVL 1

Author Comment

by:kalmen
ID: 11905150
Yeah, I see your point. It wouldn't really be worth it. Besides, if we were talking Java, things would have been a lot different, but php and javascript is the only mean.

Thanks for the insight...
I appreciate all your thoughts.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11962910
This is very interesting. I thought I might quote it:
http://www.shopable.co.uk/des.html
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question