PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Creating a PHP Script for Web Mail Posting and Notification
The Big Upgrade
Simulating Graphical Charts with XHTML/CSS
Generating Pronounceable Passwords
Creating a Printer Version � Grab Method

Re: [PHPLIB] using md5-related stuff in PHPLIB From: Kristian Koehntopp (kris <email protected>)
Date: 03/31/00

Next message: Howard Ha: "RE: [PHPLIB] Session Hijacking"
Previous message: Florian Dittmer: "Re: [PHPLIB] Problem with "$sess->padd_query()""
In reply to: Max A. Derkachev: "[PHPLIB] using md5-related stuff in PHPLIB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In netuse.lists.phplib you write:
>I wonder if there are any sense in using md5-related stuff in
>authentication in PHPLIB? Even if one uses Challenge-Auth and
>passwords transmitted in the md5 hashes over the network, there
>is no defense from a sniffer, since the things are transmitted
>over non-encrypted connection. One can grab that hashes as well
>as cleartext passwords, and then submit it to the site as
>passwords, so there would be no benefits from using that md5
>stuff in the authentication process.

Grabbing the md5 hashes does not buy you anything, as these
hashes are never reused. The challenge is determined randomly
and the server remembers the challenge within the session. The
client receives the challenge and computes a response using the
username, the password and the challenge. The username and the
response are then sent back to the server.

The server uses the username received, the password from the
database and the local challenge from the session to calculate
an exspected response. If that response matches the received
response the session is authenticated.

As challenges are not reused the captured response will be
invalid for subsequent authentication passes. Note how this
scheme of authentication depends on the availability of Sessions
for local storage of the current challenge.

MD5 based Challenge Response is secure in the sense that
passwords are not transmitted in clear if the browser is
Javascript capable. This protects you against passive sniffing
attacks, no more, no less.

MD5 based Challenge Response does not protect against
man-in-the-middle attacks which modifiy the login form code, the
md5.js code, which plug themselves completely into the
communitcation or otherwise subvert client-server communication.
Only SSL with certificates and PKI will protect you against this
kind of attack.

Kristian
-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.

Next message: Howard Ha: "RE: [PHPLIB] Session Hijacking"
Previous message: Florian Dittmer: "Re: [PHPLIB] Problem with "$sess->padd_query()""
In reply to: Max A. Derkachev: "[PHPLIB] using md5-related stuff in PHPLIB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]