Solved

Using PKCS (private-public key) encryption with PHP and Javascript.

Posted on 2004-08-26
9
910 Views
Last Modified: 2012-06-27
Hi All,

I've read around a fair bit of security pages.
On PHP i found this function:
http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php
and on Javascript (not related becase its not pks):
http://www.fourmilab.ch/javascrypt/

Is there a way to encrypt a password sent from a browser using a public key (not signed, just generated) with Javascript and then dechipher the password using a private key on the server with PHP?

That would save a lot of hassles for someone trying to sniff a connection...
Any one know anything even related?
0
Comment
Question by:kalmen
  • 6
  • 2
9 Comments
 
LVL 32

Accepted Solution

by:
ldbkutty earned 400 total points
ID: 11902459
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903079
To be honest, that was exactly what I was looking for. If no one else posts anything more intereting, I'll give you all the credit.

Thanks mate.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903106
Would you know anything does does with private key public key encryption? in the same fashion as the above document?
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11903121
> That would save a lot of hassles for someone trying to sniff a connection...

You're already protected against this if you just use SSL, so why not just use that? Attempting to reconstruct SSL via Javascript and PHP may be laudable, but it's making a lot of work for yourself. The only downside I can see that remains is that it doesn't obfuscate URLs, but I suspect that a clever proxy server would be a better route, something like anonymizer.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11903280
You're right.
It's really for the simple fact that I can't use SSL with the setup I have, actually, its impossible.
I am currently encrypting my passwords using SHA1 or MD5 on the browser and sending it that way.
http://pajhome.org.uk/crypt/md5/index.html
The only advantage is no one can know your password if sniffing, but they can still get in without knowing. I know a bank that asks questions like, "what's the second letter in your firstname with the third letter of your email address, etc. and these keep changing, but it won't be that convinient for a general login screen i guess.
Or something like a two stage login, first the normal, and then the validation question...etc... like the above.

If there was only a playaround that would prevent a sniffer for getting a user account... My problem is, everything I think of, I can break...

If there was a way to encrypt a password with a public key in Javascript (I know its nearly impossible) and decrypt it with PHP and a private key, that would be awesome.

One final thing that came to my mind, is a image generator that generates a random text but in an image which can't be seen by sniffing), so the user would have to enter it with the password... or it could be used as a key for the above encryption. that way, the sniffer would never be able to replicate a login.


0
 
LVL 1

Author Comment

by:kalmen
ID: 11903296
And by the way, the text would be generated everytime the login page loads and stored in a session variable when when a login is submitted, the key in the session would be used.

0
 
LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 100 total points
ID: 11903951
How about authenticating via a separate server that does have SSL? Then pass a secure session token between the two servers - that way the token would never have to be transferred in the clear to or from the client. The only hassle here is that you'd need to set a secure cookie from a domain other than the target one, which many browsers would block.

The bank thing you mentioned is deliberately designed to thwart replay attacks. It's really an alternative way of presenting a challenge/response authentication scheme.

I don't think you should really take the security too seriously if you can't do SSL - if it was really that big a problem, then SSL would not be!
0
 
LVL 1

Author Comment

by:kalmen
ID: 11905150
Yeah, I see your point. It wouldn't really be worth it. Besides, if we were talking Java, things would have been a lot different, but php and javascript is the only mean.

Thanks for the insight...
I appreciate all your thoughts.
0
 
LVL 1

Author Comment

by:kalmen
ID: 11962910
This is very interesting. I thought I might quote it:
http://www.shopable.co.uk/des.html
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses how to create an extensible mechanism for linked drop downs.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question