Solved

Using PKCS (private-public key) encryption with PHP and Javascript.

Posted on 2004-08-26
9
912 Views
Last Modified: 2012-06-27
Hi All,

I've read around a fair bit of security pages.
On PHP i found this function:
http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php
and on Javascript (not related becase its not pks):
http://www.fourmilab.ch/javascrypt/

Is there a way to encrypt a password sent from a browser using a public key (not signed, just generated) with Javascript and then dechipher the password using a private key on the server with PHP?

That would save a lot of hassles for someone trying to sniff a connection...
Any one know anything even related?
0
Comment
Question by:kalmen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 32

Accepted Solution

by:
ldbkutty earned 400 total points
ID: 11902459
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903079
To be honest, that was exactly what I was looking for. If no one else posts anything more intereting, I'll give you all the credit.

Thanks mate.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903106
Would you know anything does does with private key public key encryption? in the same fashion as the above document?
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11903121
> That would save a lot of hassles for someone trying to sniff a connection...

You're already protected against this if you just use SSL, so why not just use that? Attempting to reconstruct SSL via Javascript and PHP may be laudable, but it's making a lot of work for yourself. The only downside I can see that remains is that it doesn't obfuscate URLs, but I suspect that a clever proxy server would be a better route, something like anonymizer.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903280
You're right.
It's really for the simple fact that I can't use SSL with the setup I have, actually, its impossible.
I am currently encrypting my passwords using SHA1 or MD5 on the browser and sending it that way.
http://pajhome.org.uk/crypt/md5/index.html
The only advantage is no one can know your password if sniffing, but they can still get in without knowing. I know a bank that asks questions like, "what's the second letter in your firstname with the third letter of your email address, etc. and these keep changing, but it won't be that convinient for a general login screen i guess.
Or something like a two stage login, first the normal, and then the validation question...etc... like the above.

If there was only a playaround that would prevent a sniffer for getting a user account... My problem is, everything I think of, I can break...

If there was a way to encrypt a password with a public key in Javascript (I know its nearly impossible) and decrypt it with PHP and a private key, that would be awesome.

One final thing that came to my mind, is a image generator that generates a random text but in an image which can't be seen by sniffing), so the user would have to enter it with the password... or it could be used as a key for the above encryption. that way, the sniffer would never be able to replicate a login.


0
 
LVL 1

Author Comment

by:kalmen
ID: 11903296
And by the way, the text would be generated everytime the login page loads and stored in a session variable when when a login is submitted, the key in the session would be used.

0
 
LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 100 total points
ID: 11903951
How about authenticating via a separate server that does have SSL? Then pass a secure session token between the two servers - that way the token would never have to be transferred in the clear to or from the client. The only hassle here is that you'd need to set a secure cookie from a domain other than the target one, which many browsers would block.

The bank thing you mentioned is deliberately designed to thwart replay attacks. It's really an alternative way of presenting a challenge/response authentication scheme.

I don't think you should really take the security too seriously if you can't do SSL - if it was really that big a problem, then SSL would not be!
0
 
LVL 1

Author Comment

by:kalmen
ID: 11905150
Yeah, I see your point. It wouldn't really be worth it. Besides, if we were talking Java, things would have been a lot different, but php and javascript is the only mean.

Thanks for the insight...
I appreciate all your thoughts.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11962910
This is very interesting. I thought I might quote it:
http://www.shopable.co.uk/des.html
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question