Re: [phplib] Auth - password changes From: Karl Zimmermann (kzi <email protected>)
Date: 05/17/00

Yes, I am aware that full security requires SSL. But it would be
nice to have some intermediate security level working with non
SSL servers, where only key strings initiated by the user or
the server are sent in a reasonably encrypted way. It would be
nice if Javascript incorporates encrypt/decrypt algorithms
compatible with those existing in PHP. Without that, the auth
functionality is limited.

> The only thing I can think of that would be completely secure would be to do
> the password-changing over SSL with a secure webserver. Or implement some
> cryptographic cypher in JavaScript (and good luck to you if you do :) ). The
> problem is that, in allowing the user to set/change the password over the
> web, you are trying to exchange a sensitive piece of information over an
> insecure channel; no amount of MD5ing (or any other hash function) will
> change that.
>
> Sending a randomly generated password over email would probably be the
> 'safest' bet if you don't want to use public-key cryptography, but users
> would likely complain about not being able to set their own passwords
> (especially if the passwords look like line noise).
>
> All-in-all, if you're concerned about that kind of security, you should
> probably be investing in a secure webserver anyway. It is far more likely
> that someone would try to sniff the session cookie of someone that is logged
> in to attempt to gain access than any other method, and this works even if
> you use challenge-auth. The only way to combat that kind of attack is to use
> SSL.
>
> ____________________________________________
> Nathaniel Price <seoman <email protected>>
> "Microsoft Works? Isn't that an oxymoron?"
>
> ----- Original Message -----
> From: "Karl Zimmermann" <kzi <email protected>>
> To: <phplib <email protected>>
> Sent: Monday, May 15, 2000 6:15 PM
> Subject: [phplib] Auth - password changes
>
>
> >
> > With PHP4 now having session management functions, I think that the most
> > commonly used feature of PHPLib will probably be the auth functionality,
> which
> > helps avoiding sending passwords in plain text. Unfortunately, auth
> doesn't provide
> > that feature when the client sends a new password in cases of self
> registering or
> > password change.
> >
> > Encoding such a password with md5 before sending it is no solution, as it
> gives an
> > unwanted observer the result string stored in the password table.
> >
> > The problem of self registering could partly be solved when the first
> password is
> > randomly generated at the server side and send to the client via another
> channel, say
> > for example email. That is not perfect, but it adds to the burden of an
> unwanted
> > observer.
> >
> > To solve the problem of password change, one needs encrypt/decrypt
> functionality,
> > not provided by the md5 algorithm.
> >
> > For example, the encryption of the new password on the client side could
> be made
> > by using the response string of crcloginform, generated with the old
> password, as
> > secret key, which is then decrypted with the same key on the server side.
> I am aware
> > that Php, through the mcrypt library, offers encrypt/decrypt
> functionality, but I don't
> > know if Javascript offers compatible encryption algorithms.
> >
> > Any comments or ideas?
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> > For additional commands, e-mail: phplib-help <email protected>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>