Solved

Hide, best as I can, an encryption password from code viewers

Posted on 2004-10-11
9
259 Views
Last Modified: 2006-11-17
I realize that I will eventually need zend to be able to do this but I know there are ways to hide it "good enough" for a foreseable future.

What I have is a system setup to be able to use one website's (HOME) user system across many different websites (AWAY)  by basically a 4 step process...

1. Ask HOME for the login auth described in step 3
2. HOME checks if the user is logged in at HOME, if not asks user to type login details and login
3. Sends username, userid, and time of logging in to the originating website with a hash of those entries with the special encrypting password to be sure that the login is valid and legal from HOME.
4. AWAY stores all of that in a cookie to stay logged in.

function makeit($timecheck) {
        $nerderg = "firstportionofpassforhash";
        $nerdarga = "secondportionofpassforhash";
        return md5($this->user.$nerderg.$timecheck.$nerdarga.$this->username);
}

That is the function that creates the hash for sending in step 3.

What I need is to be able to prevent people from finding "$nerdarg" and "$nerdarga" in my php code when they view it. The people who I will be sending this source are from a 1-10 level of trust, 10 being the best: 6.

I was thinking about masking base64_decode() with another name and adding my own little encryption/decryption scheme to make it that extra step harder. Then moving it all around in a bunch of drawn out step's across the code.

Not very practical so I was wondering what any of you think would be the best alternative to my option and zend / another pay encryptor.

I would give this a 500 point but i'm new here :/
0
Comment
Question by:ThePCNerd
9 Comments
 

Expert Comment

by:Techno_Icon
Comment Utility
i dont understand how they will be able to see the password?  first they have to know the password it wont be on the site???

then if they cant see the encryption because it wont be in the code it will be in sessions.. (i would use sessions not cookies!!)

really need more info?? dont understand what your trying to do? are you using a Database to store passwords?
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Hmm everyone becomes confused on this, I am not talking about users/clients period. I am talking about me copying my code putting it on another person i barely know's server and them going in ftp downloading the file and looking at the password used within the encryption to thus make thier own fake key to login as anybody at any of the websites using my technology.
0
 
LVL 3

Expert Comment

by:gnudiff
Comment Utility
Well,  you could store the passwords at a trusted server (in eg. a database) and upon login authenticate clients against that, rather than locally.

However, if you store files at an untrusted location, nobody prevents the untrusted people from simply modifying your PHP page to bypass the authentication itself, right?

Even major software publishers, like Microsoft, who do distribute their close-source and key-coded, get ripped off by serial number generators and suchlike. So, there is no 100% cure, even compiling your software.

Except, perhaps, you can store not only authentication, but some key parts of your application at a trusted site - so that some processing is done at your place, and even if people copy your software, they can't do anything without having a proper auth with you.

You should look for the possibility of making breaking the authentication not worth it. Ie. the cost/time on breaking should exceed the product price.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Well each website has it's own auth verification so the corrupted website owner could only fake login on his site if he were to go around it.

What I need is to hide the password used in the hash of data so that whoever gets my code cant fake a cookie for any of the domains that use the login system.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 3

Expert Comment

by:gnudiff
Comment Utility
The main question is whether anyone who gets the code, can change it for the running website.

If not, then why someting as simple shouldn't work:

make an additional MD5 hash, and write in the PHP code the resulting hash;


$pass_hash = "nuiasdhu1273y23bki"; // the resulting hash, not the password is shown here.

if ( md5($user_sent_password) == $pass_hash)
{
   // good user
}
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
This is not a user password.

Ok you all understand how a file hash works, it makes sure that the data you have is the data that is real.

Well I have that for all remote login's, that way all the remote sites dont have to ask for the user database or ask the main site to check the login, I simply store 3 cookies at the remote site (user, username, and passhash)

The passhash ensures nobody changes the userid to another person so they can't fake the login.

And so  creating thier own new hash can be more difficult, i add two password phrases within the hash which i then later confirm at the remote website whenever a function needs to know if the user is logged in.


If you read my first post, you should of undestood this and that I wasn't talking about a userpassword. Please don't post unless you've read it all, you degrade the community that way.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Instead of trying giving my clients the source code, I decided to use an include().

The code is executed locally in a remote include so my source can never be leaked.

The only down side is that your website might go down and that means all websites using your program will too.
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
Comment Utility
Question answered by asker or dialog valuable.
Closed, 130 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now