Hide, best as I can, an encryption password from code viewers

Posted on 2004-10-11
Last Modified: 2006-11-17
I realize that I will eventually need zend to be able to do this but I know there are ways to hide it "good enough" for a foreseable future.

What I have is a system setup to be able to use one website's (HOME) user system across many different websites (AWAY)  by basically a 4 step process...

1. Ask HOME for the login auth described in step 3
2. HOME checks if the user is logged in at HOME, if not asks user to type login details and login
3. Sends username, userid, and time of logging in to the originating website with a hash of those entries with the special encrypting password to be sure that the login is valid and legal from HOME.
4. AWAY stores all of that in a cookie to stay logged in.

function makeit($timecheck) {
        $nerderg = "firstportionofpassforhash";
        $nerdarga = "secondportionofpassforhash";
        return md5($this->user.$nerderg.$timecheck.$nerdarga.$this->username);

That is the function that creates the hash for sending in step 3.

What I need is to be able to prevent people from finding "$nerdarg" and "$nerdarga" in my php code when they view it. The people who I will be sending this source are from a 1-10 level of trust, 10 being the best: 6.

I was thinking about masking base64_decode() with another name and adding my own little encryption/decryption scheme to make it that extra step harder. Then moving it all around in a bunch of drawn out step's across the code.

Not very practical so I was wondering what any of you think would be the best alternative to my option and zend / another pay encryptor.

I would give this a 500 point but i'm new here :/
Question by:ThePCNerd

Expert Comment

ID: 12282815
i dont understand how they will be able to see the password?  first they have to know the password it wont be on the site???

then if they cant see the encryption because it wont be in the code it will be in sessions.. (i would use sessions not cookies!!)

really need more info?? dont understand what your trying to do? are you using a Database to store passwords?

Author Comment

ID: 12283334
Hmm everyone becomes confused on this, I am not talking about users/clients period. I am talking about me copying my code putting it on another person i barely know's server and them going in ftp downloading the file and looking at the password used within the encryption to thus make thier own fake key to login as anybody at any of the websites using my technology.

Expert Comment

ID: 12284470
Well,  you could store the passwords at a trusted server (in eg. a database) and upon login authenticate clients against that, rather than locally.

However, if you store files at an untrusted location, nobody prevents the untrusted people from simply modifying your PHP page to bypass the authentication itself, right?

Even major software publishers, like Microsoft, who do distribute their close-source and key-coded, get ripped off by serial number generators and suchlike. So, there is no 100% cure, even compiling your software.

Except, perhaps, you can store not only authentication, but some key parts of your application at a trusted site - so that some processing is done at your place, and even if people copy your software, they can't do anything without having a proper auth with you.

You should look for the possibility of making breaking the authentication not worth it. Ie. the cost/time on breaking should exceed the product price.
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Author Comment

ID: 12288732
Well each website has it's own auth verification so the corrupted website owner could only fake login on his site if he were to go around it.

What I need is to hide the password used in the hash of data so that whoever gets my code cant fake a cookie for any of the domains that use the login system.

Expert Comment

ID: 12290874
The main question is whether anyone who gets the code, can change it for the running website.

If not, then why someting as simple shouldn't work:

make an additional MD5 hash, and write in the PHP code the resulting hash;

$pass_hash = "nuiasdhu1273y23bki"; // the resulting hash, not the password is shown here.

if ( md5($user_sent_password) == $pass_hash)
   // good user

Author Comment

ID: 12291899
This is not a user password.

Ok you all understand how a file hash works, it makes sure that the data you have is the data that is real.

Well I have that for all remote login's, that way all the remote sites dont have to ask for the user database or ask the main site to check the login, I simply store 3 cookies at the remote site (user, username, and passhash)

The passhash ensures nobody changes the userid to another person so they can't fake the login.

And so  creating thier own new hash can be more difficult, i add two password phrases within the hash which i then later confirm at the remote website whenever a function needs to know if the user is logged in.

If you read my first post, you should of undestood this and that I wasn't talking about a userpassword. Please don't post unless you've read it all, you degrade the community that way.

Author Comment

ID: 12311614
Instead of trying giving my clients the source code, I decided to use an include().

The code is executed locally in a remote include so my source can never be leaked.

The only down side is that your website might go down and that means all websites using your program will too.

Accepted Solution

ee_ai_construct earned 0 total points
ID: 12340963
Question answered by asker or dialog valuable.
Closed, 130 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question