In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways:
  1. Using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS
  2. Using simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols

What aSSL Is and How to Use it

The aSSL library is distributed under the MIT License, and it is implemented by using two components:
The aSSL library enables the client side to negotiate a 128-bit random key with the server using the RSA algorithm. This algorithm is for public-key cryptography and it involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can be decrypted only with the private key. After the connection has been established, the data will be sent and received using the Advanced Encryption Standard (AES) algorithm. In cryptography, AES is a symmetric-key encryption algorithm based on a design principle known as a substitution permutation. AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits. Its cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext.
The latest aSSL library as of this writing, version 1.2.1, works as follows:
  1. The browser calls the server to start the process.
  2. The server returns its RSA part and the public key.
  3. The browser generates a random exchange 128-bit key, encrypts it using the server public key and passes the encrypted exchange key to the server.
  4. The server receives this encrypted 128-bit exchange key, decrypts it with its private key and, if the result is ok, returns the session duration time.
  5. The browser receives the session duration time and sets a timeout to maintain the connection.
To use the aSSL 1.2.1 library in PHP you should download the ZIP archive assl1.2.1PHP4.zip and then unzip this archive and put the subfolder assl in the Apache-specific folder.

Writing the PHP Login Application

After unzipping the assl1.2.1PHP4.zip archive in the specific Apache folder, you should see the structure of directories shown in Figure 1. This structure already contains a simple login application example, which I will explain in the sections to follow.


Click here for larger image

Figure 1. The structure of the assl subfolder after unzip the archive into the specific Apache folder
You can modify the index.php, login.php and conn.php PHP scripts to create a custom application that needs the cryptography implementation. In this section, I will explain this specific example using aSSL. In the next section, I will explain how to create an example that uses the Ajax and OpenSSL.
Note: All subsequent client/server exchanges via aSSL are encrypted and decrypted using AES. The aSSL library allows multiple secure connections to be established with one or more servers simlutaneously.
The listing of index.php (see Listing 1) establishes an aSSL-encrypted connection with the server. If successful, the time used to establish the connection will be listed. If not, a message error will be returned: "Unable to establish an aSSL encrypted connection." The showConn is the function that the aSSL.connect method calls after the connection is established. After the connection has been established, a login attempt will begin by calling the loginGo function, which encrypts the querystring and runs the Ajax process using the POST method.
The login.php script used by this POST method starts a session as the AES key is stored in $_SESSION, decrypts the server request and outputs the result:
<?php
//start session as AES key is stored in $_SESSION
session_start();
//require needed files
require_once 'assl-php/assl.php';
//decrypt server request
$decrypted = aSSL::decrypt($_POST['data']);
//get associative array from encrypted data
$res = aSSL::querystr($decrypted);

//valid users
$users = array('guru' => 'jolly', 'admin' => 'crazy');

$result = ($users[$res['nickname']] && $users[$res['nickname']] == $res['password']) ? 1 : 0;
//output result. It can be done with aSSL::send($result) if data returned to server should be encrypted.
aSSL::write($result);
?>
The conn.php script launches the aSSL.connect method to establish the aSSL connection:
<?php
//start session as AES key is stored in $_SESSION
session_start();
//require file with key(s)
require_once 'mykey.php';

// the aSSL library
require_once 'assl-php/assl.php';

// To establish the aSSL connection it is sufficient the following line:
aSSL::response(isset($_GET['size']) && $_GET['size'] == 512 ? $myKey512 : $myKey);
?>
Figure 2 shows the aSSL login example output before inserting any values, and Figure 3 shows the output of this application after a successful login.


Click here for larger image

Figure 2. The aSSL login example output before inserting any values


Click here for larger image

Figure 3. The output of this application after a successful login
If you want to generate a RSA key, the aSSL library also has a tool for that (see Figure 4). You can generate a RSA key at the RSAKeyGenerator.asp link.


Click here for larger image

Figure 4. Generating a RSA key using aSSL tool
Using this library was not hard, and the example was very useful. You should implement it in your application at some point.

Using Simple Ajax and OpenSSL

The example and jobs database I explain in this section is not really a login application, but it demonstrates exactly how Ajax and OpenSSL work together in PHP. This application contains two pages:
  1. Uses a HTML form to select a user and implements the Ajax mechanism
  2. Makes the connection to the jobs database and reads from the users table (see Figure 5) all the information about the selected user


Click here for larger image

Figure 5. The users table structure and its content
To encrypt the password, I use the OpenSSL library. To use this library you should activate this extension from php.ini (;extension=php_openssl.dll) and then download the DLL files required by this extension (libeay32.dll and ssleay32.dll), which should be in the PHP and Windows/System32 folders. PHP 5.x and 6.x have the file in the extras/openssl directory.
This code creates a key file called private.pem that uses 1024 bits.
$ openssl genrsa -out private.pem 1024
Theprivate.pem file actually has both private and public keys, so you should extract the public one from it.
$ openssl rsa -in private.pem -out public.pem -outform PEM -pubout
The 1.html HTML page (see Listing 2) implements the Ajax mechanism and reveals an HTML form that interacts with the getuser.php PHP script to read from the jobs database and output the chosen value from the select component.


Click here for larger image

Figure 6. The output of the 1.html HTML form
The getuser.php script (see Listing 3) outputs all the details of the user selected in the HTML form from the users table.


Click here for larger image

Figure 7. The output of the application

Conclusion

In this article you learned two approaches for writing a PHP login application: one using the aSSL library and the other using simple Ajax and the OpenSSL library.

About the Author

Octavia Andreea Anghel is a senior PHP developer currently working as a primary trainer for programming teams that participate at national and international software-development contests. She consults on developing educational projects at a national level. She is a coauthor of the book "XML Technologies: XML in Java" (Albastra, ISBN 978-973-650-210-1), for which she wrote the XML portions. In addition to PHP and XML, she's interested in software architecture, web services, UML, and high-performance unit tests. to e-mail her.