Justtechjobs.com Find a programming school near you






Online Campus Both


php3-list | 199908

Re: [PHP3] 2 way encrypt/decrypt function in PHP3? From: Jacob Stetser (lists <email protected>)
Date: 08/05/99

Yeah, if they get the password, they're in. There's not much more I
can do for security past that point.

They could brute force it out of the response, since they know the
challenge and the username, or they could use social engineering to
get it out of the person. Thankfully both are more difficult,
usually, than sniffing it off the network, which is very hard to do
with this setup.

If I were smarter with designing security setups I could probably
make something harder, but in the end, the user's password/passphrase
is always the weak link. If they give it out or somehow someone gets
it, that's access. I can secure my end of the system, and to some
degree their end (using md5 encryption and CR instead of simple
password authentication)... I've been reading up on IKE and other
interesting assymetric encryption schemes, but integrating them would
require me finding some sort of javascript to do the encryption on
one end and creating/finding a similar PHP solution on the other end.

Where can I get the MCRYPT functions? Are they not built into PHP? I
can't seem to use them on my host, though I might be using them wrong.

Is anyone here an expert in authentication security - specifically a
system which withstands dictionary attacks, is not plaintext
equivalent and has forward secrecy?

Jacob Stetser

>Hello Jacob,
>
>On 04-Aug-99 19:41:43, you wrote:
>
>>Well, what you suggest is a little different. My use of this is for
>>submitting forms. As for authentication of a realm, as you're talking
>>about, I use tickets and store the sessionvars in a database like
>>PHPLIB's sessions do. In that case, no password/username is ever sent
>>across the
>>network, and challenge/response pairs are one-time only, and the
>>ticket (perhaps encoded with some information (IP of end-user?) to
>>thwart ticket swapping) is only valid for a short time.
>
>>In other words:
>
>>User requests login form
>>-> Server sends login form with encoded challenge and stores challenge in db
>>-> user logs in, challenge/response sent
>>->Server validates or invalidates and deletes challenge
>>-> if validated, sessionvars are stored in db and user receives "ticket"
>> i.e., cookie or ?session= or both
>>-> ticket is used for page-to-page validation
>>-> ticket expires 1 hour after last use
>
>Oh, I see what you mean now. You use tickets to prevent hackers from
>sniffing information submit it again to fake a valid access. It's nice but
>that doesn't prevent fake logins if the hacker gets a valid ticket and
>submite the form with a real password, right?
>
>
>Regards,
>Manuel Lemos
>
Jacob Stetser 

--
icongarden: Making good ideas grow.
http://icongarden.com/

Get our PGP public key by emailing pgp <email protected>

-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>