Password-Transfer to Webserver (PHP available)

bluejoke · Post by **bluejoke** » Mon Feb 21, 2005 10:41 pm

Hi!

I searched some time ago, but found nothing about how to encrypt a password save to identify at a PHP-Skript.
I would love to use PGP but don't know how to implement it neither in PB nor in PHP. I found some snippets or something similiar in this board, but abandoned 'cause I don't know if PHP supports PGP.

So now I'm using a easy crypt-algo created by myself (don't have the source at the moment):
Client:

Code: Select all

Password input by user
a=MD5-hash(input)
get current IP from a php-skript on my server (stored in 'ip')
b=MD5-hash(a+ip)
send b to server-skript

Server:

Code: Select all

Get Pw from Database (only MD5-Hash) -> s_a
get current client-ip -> ip
s_b = MD5(s_a+ip)
compare b and s_b

This works but I I think it's only a bit better as sending the pw not crypted (is "clear text" the right term in this context?)

I wanted to ask: How does the SmartUpdater work? How does this tool verify its identity at the moment of downloading after the login? Sessions?

Has anyone a proposal, how to do it better?
It's not sooo important because it's only a private developement but I think, I should try to make it as save as it can be.

thanks, Vielen Dank, muchas gracias,...

P.S.: Please correct wrong english or wrong orthography per private message

Rescator · Post by **Rescator** » Tue Feb 22, 2005 12:11 am

get current IP from a php-skript on my server (stored in 'ip')

Use a unique id instead. like php's uniqid() function.

makes it harder for anyone "eavesdropping" from re-using the md5 hash later. instead it becomes a one time autenthication (or session authentication).

Remember, hashing a password may hide what the password is.
But it can still be (mis-)used in hash form.
(unless the hash is diffrent at each "login".)

The method you describe above would be just as silly a sending it in cleartext. since you are relying on a ip. which tend to be semi static
but is also easily spoofable by hackers that know a bit about the ip protocol etc.

Using a unique one time id fix that however.
And you suddenly get something that is pretty secure. (next to using PGP and SSL etc etc.)

Rescator · Post by **Rescator** » Tue Feb 22, 2005 12:46 am

Another tip! Combine my tip with the password in my post above.
And use i.e the "MD5 + modified RC4 method" in the Tips and tricks section
to encrypt files you transfer.
Only when you encrypt the files use the password and not the hash used during authentication.

This way the only way a hacker can decrypt the files is if he can guess the password.

Only the server knows the md5 of the password,
and only the download tool knows the md5 hash of the password.
and as the unique id is hashed with the password during authentication.
The actual password is never sent, so a hacker can in no way authenticate,
nor be able to decrypt the files unless he knows the real password.

I believe that a RC4 implementation/script exist for php.

I'm working on a couple of tools that use the idea in both my posts,
(my ECAMREC routine, + the authentication system/tool (called Bivius)
my EmSai Compressed Archive format/tool, and at some point I hope to make a variation of the Bivius tool called Bivium that will be a plugin for Firefox and thus allow a more secure way to login to websites and forums that do not use/have SSL. and that is easy to support on the server (provided the server can run PHP scripts that is).

I'll prolly post some news about all this later on the forum,
but for now this post and the previous one (and the code in Tip's trick section) should give you some ideas to make things more secure.

Here's the url viewtopic.php?t=14044

Edit: found a rc4 script http://www.phpclasses.org/browse/package/146.html

Have fun!

bluejoke · Post by **bluejoke** » Tue Feb 22, 2005 1:34 pm

I don't think, I have to crypt my data sent by my tool, because I will use it only to update my webpage.
So I want my parents to be able to write a bit of the homepage, click send and it will be uploaded after identification. I don't want to use FTP because later I want to implement some right-management.

bluejoke · Post by **bluejoke** » Wed Mar 02, 2005 9:01 pm

Hello again!

I just wanted to ask, if anyone can say me how the SmartUpdater of PB handles the password-transfer. Is it crypted? Or is this a secret?

Thanks,
Simon