• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 922
  • Last Modified:

Using PKCS (private-public key) encryption with PHP and Javascript.

Hi All,

I've read around a fair bit of security pages.
On PHP i found this function:
http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php
and on Javascript (not related becase its not pks):
http://www.fourmilab.ch/javascrypt/

Is there a way to encrypt a password sent from a browser using a public key (not signed, just generated) with Javascript and then dechipher the password using a private key on the server with PHP?

That would save a lot of hassles for someone trying to sniff a connection...
Any one know anything even related?
0
kalmen
Asked:
kalmen
  • 6
  • 2
2 Solutions
 
kalmenAuthor Commented:
To be honest, that was exactly what I was looking for. If no one else posts anything more intereting, I'll give you all the credit.

Thanks mate.
0
 
kalmenAuthor Commented:
Would you know anything does does with private key public key encryption? in the same fashion as the above document?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Marcus BointonCommented:
> That would save a lot of hassles for someone trying to sniff a connection...

You're already protected against this if you just use SSL, so why not just use that? Attempting to reconstruct SSL via Javascript and PHP may be laudable, but it's making a lot of work for yourself. The only downside I can see that remains is that it doesn't obfuscate URLs, but I suspect that a clever proxy server would be a better route, something like anonymizer.
0
 
kalmenAuthor Commented:
You're right.
It's really for the simple fact that I can't use SSL with the setup I have, actually, its impossible.
I am currently encrypting my passwords using SHA1 or MD5 on the browser and sending it that way.
http://pajhome.org.uk/crypt/md5/index.html
The only advantage is no one can know your password if sniffing, but they can still get in without knowing. I know a bank that asks questions like, "what's the second letter in your firstname with the third letter of your email address, etc. and these keep changing, but it won't be that convinient for a general login screen i guess.
Or something like a two stage login, first the normal, and then the validation question...etc... like the above.

If there was only a playaround that would prevent a sniffer for getting a user account... My problem is, everything I think of, I can break...

If there was a way to encrypt a password with a public key in Javascript (I know its nearly impossible) and decrypt it with PHP and a private key, that would be awesome.

One final thing that came to my mind, is a image generator that generates a random text but in an image which can't be seen by sniffing), so the user would have to enter it with the password... or it could be used as a key for the above encryption. that way, the sniffer would never be able to replicate a login.


0
 
kalmenAuthor Commented:
And by the way, the text would be generated everytime the login page loads and stored in a session variable when when a login is submitted, the key in the session would be used.

0
 
Marcus BointonCommented:
How about authenticating via a separate server that does have SSL? Then pass a secure session token between the two servers - that way the token would never have to be transferred in the clear to or from the client. The only hassle here is that you'd need to set a secure cookie from a domain other than the target one, which many browsers would block.

The bank thing you mentioned is deliberately designed to thwart replay attacks. It's really an alternative way of presenting a challenge/response authentication scheme.

I don't think you should really take the security too seriously if you can't do SSL - if it was really that big a problem, then SSL would not be!
0
 
kalmenAuthor Commented:
Yeah, I see your point. It wouldn't really be worth it. Besides, if we were talking Java, things would have been a lot different, but php and javascript is the only mean.

Thanks for the insight...
I appreciate all your thoughts.
0
 
kalmenAuthor Commented:
This is very interesting. I thought I might quote it:
http://www.shopable.co.uk/des.html
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now