[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Using PKCS (private-public key) encryption with PHP and Javascript.

Posted on 2004-08-26
9
Medium Priority
?
918 Views
Last Modified: 2012-06-27
Hi All,

I've read around a fair bit of security pages.
On PHP i found this function:
http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php
and on Javascript (not related becase its not pks):
http://www.fourmilab.ch/javascrypt/

Is there a way to encrypt a password sent from a browser using a public key (not signed, just generated) with Javascript and then dechipher the password using a private key on the server with PHP?

That would save a lot of hassles for someone trying to sniff a connection...
Any one know anything even related?
0
Comment
Question by:kalmen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 32

Accepted Solution

by:
ldbkutty earned 1600 total points
ID: 11902459
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903079
To be honest, that was exactly what I was looking for. If no one else posts anything more intereting, I'll give you all the credit.

Thanks mate.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903106
Would you know anything does does with private key public key encryption? in the same fashion as the above document?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11903121
> That would save a lot of hassles for someone trying to sniff a connection...

You're already protected against this if you just use SSL, so why not just use that? Attempting to reconstruct SSL via Javascript and PHP may be laudable, but it's making a lot of work for yourself. The only downside I can see that remains is that it doesn't obfuscate URLs, but I suspect that a clever proxy server would be a better route, something like anonymizer.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903280
You're right.
It's really for the simple fact that I can't use SSL with the setup I have, actually, its impossible.
I am currently encrypting my passwords using SHA1 or MD5 on the browser and sending it that way.
http://pajhome.org.uk/crypt/md5/index.html
The only advantage is no one can know your password if sniffing, but they can still get in without knowing. I know a bank that asks questions like, "what's the second letter in your firstname with the third letter of your email address, etc. and these keep changing, but it won't be that convinient for a general login screen i guess.
Or something like a two stage login, first the normal, and then the validation question...etc... like the above.

If there was only a playaround that would prevent a sniffer for getting a user account... My problem is, everything I think of, I can break...

If there was a way to encrypt a password with a public key in Javascript (I know its nearly impossible) and decrypt it with PHP and a private key, that would be awesome.

One final thing that came to my mind, is a image generator that generates a random text but in an image which can't be seen by sniffing), so the user would have to enter it with the password... or it could be used as a key for the above encryption. that way, the sniffer would never be able to replicate a login.


0
 
LVL 1

Author Comment

by:kalmen
ID: 11903296
And by the way, the text would be generated everytime the login page loads and stored in a session variable when when a login is submitted, the key in the session would be used.

0
 
LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 400 total points
ID: 11903951
How about authenticating via a separate server that does have SSL? Then pass a secure session token between the two servers - that way the token would never have to be transferred in the clear to or from the client. The only hassle here is that you'd need to set a secure cookie from a domain other than the target one, which many browsers would block.

The bank thing you mentioned is deliberately designed to thwart replay attacks. It's really an alternative way of presenting a challenge/response authentication scheme.

I don't think you should really take the security too seriously if you can't do SSL - if it was really that big a problem, then SSL would not be!
0
 
LVL 1

Author Comment

by:kalmen
ID: 11905150
Yeah, I see your point. It wouldn't really be worth it. Besides, if we were talking Java, things would have been a lot different, but php and javascript is the only mean.

Thanks for the insight...
I appreciate all your thoughts.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11962910
This is very interesting. I thought I might quote it:
http://www.shopable.co.uk/des.html
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question