In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways:
Using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS
Using simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols
What aSSL Is and How to Use it
The aSSL library is distributed under the MIT License, and it is implemented by using two components:
The aSSL library enables the client side to negotiate a 128-bit random key with the server using the RSA algorithm. This algorithm is for public-key cryptography and it involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can be decrypted only with the private key. After the connection has been established, the data will be sent and received using the Advanced Encryption Standard (AES) algorithm. In cryptography, AES is a symmetric-key encryption algorithm based on a design principle known as a substitution permutation. AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits. Its cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext.
The latest aSSL library as of this writing, version 1.2.1, works as follows:
The browser calls the server to start the process.
The server returns its RSA part and the public key.
The browser generates a random exchange 128-bit key, encrypts it using the server public key and passes the encrypted exchange key to the server.
The server receives this encrypted 128-bit exchange key, decrypts it with its private key and, if the result is ok, returns the session duration time.
The browser receives the session duration time and sets a timeout to maintain the connection.
To use the aSSL 1.2.1 library in PHP you should download the ZIP archive assl1.2.1PHP4.zip and then unzip this archive and put the subfolder assl in the Apache-specific folder.
Writing the PHP Login Application
After unzipping the assl1.2.1PHP4.zip archive in the specific Apache folder, you should see the structure of directories shown in Figure 1. This structure already contains a simple login application example, which I will explain in the sections to follow.
You can modify the index.php, login.php and conn.php PHP scripts to create a custom application that needs the cryptography implementation. In this section, I will explain this specific example using aSSL. In the next section, I will explain how to create an example that uses the Ajax and OpenSSL.
Note: All subsequent client/server exchanges via aSSL are encrypted and decrypted using AES. The aSSL library allows multiple secure connections to be established with one or more servers simlutaneously.
The listing of index.php (see Listing 1) establishes an aSSL-encrypted connection with the server. If successful, the time used to establish the connection will be listed. If not, a message error will be returned: "Unable to establish an aSSL encrypted connection." The showConn is the function that the aSSL.connect method calls after the connection is established. After the connection has been established, a login attempt will begin by calling the loginGo function, which encrypts the querystring and runs the Ajax process using the POST method.
The login.php script used by this POST method starts a session as the AES key is stored in $_SESSION, decrypts the server request and outputs the result:
//start session as AES key is stored in $_SESSION
//require needed files
//decrypt server request
$decrypted = aSSL::decrypt($_POST['data']);
//get associative array from encrypted data
$res = aSSL::querystr($decrypted);
$users = array('guru' => 'jolly', 'admin' => 'crazy');
$result = ($users[$res['nickname']] && $users[$res['nickname']] == $res['password']) ? 1 : 0;
//output result. It can be done with aSSL::send($result) if data returned to server should be encrypted.
The conn.php script launches the aSSL.connect method to establish the aSSL connection:
//start session as AES key is stored in $_SESSION
//require file with key(s)
// the aSSL library
// To establish the aSSL connection it is sufficient the following line:
aSSL::response(isset($_GET['size']) && $_GET['size'] == 512 ? $myKey512 : $myKey);
Figure 2 shows the aSSL login example output before inserting any values, and Figure 3 shows the output of this application after a successful login.
To encrypt the password, I use the OpenSSL library. To use this library you should activate this extension from php.ini (;extension=php_openssl.dll) and then download the DLL files required by this extension (libeay32.dll and ssleay32.dll), which should be in the PHP and Windows/System32 folders. PHP 5.x and 6.x have the file in the extras/openssl directory.
This code creates a key file called private.pem that uses 1024 bits.
$ openssl genrsa -out private.pem 1024
Theprivate.pem file actually has both private and public keys, so you should extract the public one from it.
The 1.html HTML page (see Listing 2) implements the Ajax mechanism and reveals an HTML form that interacts with the getuser.php PHP script to read from the jobs database and output the chosen value from the select component.
In this article you learned two approaches for writing a PHP login application: one using the aSSL library and the other using simple Ajax and the OpenSSL library.
About the Author
Octavia Andreea Anghel is a senior PHP developer currently working as a primary trainer for programming teams that participate at national and international software-development contests. She consults on developing educational projects at a national level. She is a coauthor of the book "XML Technologies: XML in Java" (Albastra, ISBN 978-973-650-210-1), for which she wrote the XML portions. In addition to PHP and XML, she's interested in software architecture, web services, UML, and high-performance unit tests. to e-mail her.