ThePCNerd
asked on
Hide, best as I can, an encryption password from code viewers
I realize that I will eventually need zend to be able to do this but I know there are ways to hide it "good enough" for a foreseable future.
What I have is a system setup to be able to use one website's (HOME) user system across many different websites (AWAY) by basically a 4 step process...
1. Ask HOME for the login auth described in step 3
2. HOME checks if the user is logged in at HOME, if not asks user to type login details and login
3. Sends username, userid, and time of logging in to the originating website with a hash of those entries with the special encrypting password to be sure that the login is valid and legal from HOME.
4. AWAY stores all of that in a cookie to stay logged in.
function makeit($timecheck) {
$nerderg = "firstportionofpassforhash
$nerdarga = "secondportionofpassforhas
return md5($this->user.$nerderg.$
}
That is the function that creates the hash for sending in step 3.
What I need is to be able to prevent people from finding "$nerdarg" and "$nerdarga" in my php code when they view it. The people who I will be sending this source are from a 1-10 level of trust, 10 being the best: 6.
I was thinking about masking base64_decode() with another name and adding my own little encryption/decryption scheme to make it that extra step harder. Then moving it all around in a bunch of drawn out step's across the code.
Not very practical so I was wondering what any of you think would be the best alternative to my option and zend / another pay encryptor.
I would give this a 500 point but i'm new here :/
What I have is a system setup to be able to use one website's (HOME) user system across many different websites (AWAY) by basically a 4 step process...
1. Ask HOME for the login auth described in step 3
2. HOME checks if the user is logged in at HOME, if not asks user to type login details and login
3. Sends username, userid, and time of logging in to the originating website with a hash of those entries with the special encrypting password to be sure that the login is valid and legal from HOME.
4. AWAY stores all of that in a cookie to stay logged in.
function makeit($timecheck) {
$nerderg = "firstportionofpassforhash
$nerdarga = "secondportionofpassforhas
return md5($this->user.$nerderg.$
}
That is the function that creates the hash for sending in step 3.
What I need is to be able to prevent people from finding "$nerdarg" and "$nerdarga" in my php code when they view it. The people who I will be sending this source are from a 1-10 level of trust, 10 being the best: 6.
I was thinking about masking base64_decode() with another name and adding my own little encryption/decryption scheme to make it that extra step harder. Then moving it all around in a bunch of drawn out step's across the code.
Not very practical so I was wondering what any of you think would be the best alternative to my option and zend / another pay encryptor.
I would give this a 500 point but i'm new here :/
ASKER
Hmm everyone becomes confused on this, I am not talking about users/clients period. I am talking about me copying my code putting it on another person i barely know's server and them going in ftp downloading the file and looking at the password used within the encryption to thus make thier own fake key to login as anybody at any of the websites using my technology.
Well, you could store the passwords at a trusted server (in eg. a database) and upon login authenticate clients against that, rather than locally.
However, if you store files at an untrusted location, nobody prevents the untrusted people from simply modifying your PHP page to bypass the authentication itself, right?
Even major software publishers, like Microsoft, who do distribute their close-source and key-coded, get ripped off by serial number generators and suchlike. So, there is no 100% cure, even compiling your software.
Except, perhaps, you can store not only authentication, but some key parts of your application at a trusted site - so that some processing is done at your place, and even if people copy your software, they can't do anything without having a proper auth with you.
You should look for the possibility of making breaking the authentication not worth it. Ie. the cost/time on breaking should exceed the product price.
However, if you store files at an untrusted location, nobody prevents the untrusted people from simply modifying your PHP page to bypass the authentication itself, right?
Even major software publishers, like Microsoft, who do distribute their close-source and key-coded, get ripped off by serial number generators and suchlike. So, there is no 100% cure, even compiling your software.
Except, perhaps, you can store not only authentication, but some key parts of your application at a trusted site - so that some processing is done at your place, and even if people copy your software, they can't do anything without having a proper auth with you.
You should look for the possibility of making breaking the authentication not worth it. Ie. the cost/time on breaking should exceed the product price.
ASKER
Well each website has it's own auth verification so the corrupted website owner could only fake login on his site if he were to go around it.
What I need is to hide the password used in the hash of data so that whoever gets my code cant fake a cookie for any of the domains that use the login system.
What I need is to hide the password used in the hash of data so that whoever gets my code cant fake a cookie for any of the domains that use the login system.
The main question is whether anyone who gets the code, can change it for the running website.
If not, then why someting as simple shouldn't work:
make an additional MD5 hash, and write in the PHP code the resulting hash;
$pass_hash = "nuiasdhu1273y23bki"; // the resulting hash, not the password is shown here.
if ( md5($user_sent_password) == $pass_hash)
{
// good user
}
If not, then why someting as simple shouldn't work:
make an additional MD5 hash, and write in the PHP code the resulting hash;
$pass_hash = "nuiasdhu1273y23bki"; // the resulting hash, not the password is shown here.
if ( md5($user_sent_password) == $pass_hash)
{
// good user
}
ASKER
This is not a user password.
Ok you all understand how a file hash works, it makes sure that the data you have is the data that is real.
Well I have that for all remote login's, that way all the remote sites dont have to ask for the user database or ask the main site to check the login, I simply store 3 cookies at the remote site (user, username, and passhash)
The passhash ensures nobody changes the userid to another person so they can't fake the login.
And so creating thier own new hash can be more difficult, i add two password phrases within the hash which i then later confirm at the remote website whenever a function needs to know if the user is logged in.
If you read my first post, you should of undestood this and that I wasn't talking about a userpassword. Please don't post unless you've read it all, you degrade the community that way.
Ok you all understand how a file hash works, it makes sure that the data you have is the data that is real.
Well I have that for all remote login's, that way all the remote sites dont have to ask for the user database or ask the main site to check the login, I simply store 3 cookies at the remote site (user, username, and passhash)
The passhash ensures nobody changes the userid to another person so they can't fake the login.
And so creating thier own new hash can be more difficult, i add two password phrases within the hash which i then later confirm at the remote website whenever a function needs to know if the user is logged in.
If you read my first post, you should of undestood this and that I wasn't talking about a userpassword. Please don't post unless you've read it all, you degrade the community that way.
ASKER
Instead of trying giving my clients the source code, I decided to use an include().
The code is executed locally in a remote include so my source can never be leaked.
The only down side is that your website might go down and that means all websites using your program will too.
The code is executed locally in a remote include so my source can never be leaked.
The only down side is that your website might go down and that means all websites using your program will too.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
then if they cant see the encryption because it wont be in the code it will be in sessions.. (i would use sessions not cookies!!)
really need more info?? dont understand what your trying to do? are you using a Database to store passwords?