Sparda Posted February 15, 2009 Share Posted February 15, 2009 If using Javascript to encrypt it before sending, and someone is sniffing the data capturing the encrypted payload plus the javascript itself that encrypted it, wouldn't it be easy to script a decrypt from the payload and original encrypt script? That depends. If a challenge response is not used and you use md5 (for example) it is vulnerable to repeat attacks but prevents the attacker from seeing the actual password used (not that this matters since they only need to know the encrypted stuff in order to authenticate as them). If a challenge response is used you can't use md5 as you need to be able to reveres to encryption process. In which case the attacker has to capture the challenge and the response and they already know the algorithm so it's no effot at all to get the actual password used back. The non-challenge response method is only slightly more secure for the user as the attacker doesn't know what the actual password used was. So this would prevent them from trying the same password on other sites they already know the same user uses. Quote Link to comment Share on other sites More sharing options...
aeturnus Posted February 15, 2009 Share Posted February 15, 2009 If using Javascript to encrypt it before sending, and someone is sniffing the data capturing the encrypted payload plus the javascript itself that encrypted it, wouldn't it be easy to script a decrypt from the payload and original encrypt script? I have this odd feeling that you've never read the details of how a DHE exchange works. And Sparda, That's true, you'd have to distribute the certificate to every user that you'd want to use the site. The OP didn't make any mention of how many users he expected. I know that for my work, the "trusted" CA's aren't trusted enough, and we have to use a method of distribution similar to what is described here (although, we don't play around with doing it in Javascript and PHP, we use industry standards for the negotiation of the protocol). Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 15, 2009 Share Posted February 15, 2009 Forgot to say: If a public/private key system is used, the attacker has to intercept the transmission of the public key and replace it with his own. This is what happens when SSL is MITM'ed, except, as previously stated, you tell when you are been MITM'ed with SSL as the CA's signature will not be recognised by the browser (unless a evil person managed to convince a CA to create a certificate for a domain he does not own). Quote Link to comment Share on other sites More sharing options...
digip Posted February 15, 2009 Share Posted February 15, 2009 I have this odd feeling that you've never read the details of how a DHE exchange works. This is True. I was not 100% sure about what it encrypted after the initial authentication. I was thinking it was more for secure authentication into a domain. I stand corrected. Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Quote Link to comment Share on other sites More sharing options...
stingwray Posted February 15, 2009 Share Posted February 15, 2009 I think I've solved this problem, with key exchange using no asymmetric crypto and both user and server authenticating to each other. I'll post more a little later, as I'm just stamping out a POC and will upload it to my server for people to play with, as well as release the source. I've just got to verify somethings and increase the security a little more. EDIT: also to make this clear, I'm not guaranteeing this in anyway against to be equally as secure as SSL, and will be looking for feedback, but I believe it has promise. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 15, 2009 Share Posted February 15, 2009 I have this odd feeling that you've never read the details of how a DHE exchange works. This is vulnerable to been intercepted, the attacker pretending to be the client to the server, then turning around and pretending to be the server to the client. Only a passive attacker would not be able to intercept this. Quote Link to comment Share on other sites More sharing options...
aeturnus Posted February 15, 2009 Share Posted February 15, 2009 This is vulnerable to been intercepted, the attacker pretending to be the client to the server, then turning around and pretending to be the server to the client. Only a passive attacker would not be able to intercept this. Well sure, you can intercept it, that's why no one uses DHE by itself, but follows it up with RSA certificates. I'm not quite sure how a passive attacker could not intercept this sort of traffic, but that's neither here nor there. I'm sure it depends on how you define passive and across what medium the exchange takes place. Nonetheless, if you're interested in this topic, I'd really recommend the books I listed earlier ( Applied Cryptography, Handbook of Applied Cryptography ) as they both cover the topic pretty well ( I have my biases and reservations for both, but either should suffice). Or the O'Reilly book called...something like, "Network Security with OpenSSL", covers the topics rather briefly but has useful code examples if you're wanting to roll your own SSL solution. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 16, 2009 Share Posted February 16, 2009 Well sure, you can intercept it, that's why no one uses DHE by itself, but follows it up with RSA certificates. I'm not quite sure how a passive attacker could not intercept this sort of traffic, but that's neither here nor there. I'm not sure what 'RSA certificates' refers to. A passive attacker (that is some one who is listening) cannot decipher the key generated by a (properly implemented) DHE despite seeing all communication. So, if you where communication with a medium that could be listen to but not intercepted (the Internet does not meet this criteria) you could reliably use DHE for generating a session key. For example, if you had a long distance radio communication system, any one could listen to it but it would be very difficult to intercept. Quote Link to comment Share on other sites More sharing options...
r4v37t Posted February 16, 2009 Author Share Posted February 16, 2009 How about I combine it with java applet? Can it secure my website? Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 16, 2009 Share Posted February 16, 2009 How about I combine it with java applet? Can it secure my website? Not really, an attacker could give a client a Java app that looked like yours but stole there info. Quote Link to comment Share on other sites More sharing options...
digip Posted February 16, 2009 Share Posted February 16, 2009 I think the only viable option is https communication (SSlv3, TLS, etc) or you don't really have secure communcations between your site and users. Quote Link to comment Share on other sites More sharing options...
aeturnus Posted February 16, 2009 Share Posted February 16, 2009 I'm not sure what 'RSA certificates' refers to. A passive attacker (that is some one who is listening) cannot decipher the key generated by a (properly implemented) DHE despite seeing all communication. So, if you where communication with a medium that could be listen to but not intercepted (the Internet does not meet this criteria) you could reliably use DHE for generating a session key. For example, if you had a long distance radio communication system, any one could listen to it but it would be very difficult to intercept. I apologize if English is not your first language; it's not mine either. But it's very difficult to understand what you're trying to say with improper words being used and terrible grammar. Again though, I think we're on the same page, generally, we just disagree over the terms. How about I combine it with java applet? Can it secure my website? Sure. That would be a similar case. It would be easier to do this via HTTPS, but if you're gung-ho for Java* solutions: go for it, it's possible. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 16, 2009 Share Posted February 16, 2009 Sure. That would be a similar case. It would be easier to do this via HTTPS, but if you're gung-ho for Java* solutions: go for it, it's possible. I can't see how it is any more possible to create a secure connection without prior communication using a compiled programming language than a scripting language. They both have the same problem that the client is unable to verify that what the server sends them is what the server claims them to be. Quote Link to comment Share on other sites More sharing options...
r4v37t Posted February 17, 2009 Author Share Posted February 17, 2009 I know that nothing is secure, but now I just want to know how PHP can encrypt the POST data before its send to server. I need help, if you are can help me please send me link or anything that can make me learn how PHP can do that. Thanks. Quote Link to comment Share on other sites More sharing options...
stingwray Posted February 17, 2009 Share Posted February 17, 2009 I know that nothing is secure, but now I just want to know how PHP can encrypt the POST data before its send to server. I need help, if you are can help me please send me link or anything that can make me learn how PHP can do that. Thanks. It can't, PHP is server side only, you'll need a client-side technology like Javascript to perform encryption on the computer before sending to the sever. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 17, 2009 Share Posted February 17, 2009 http://www.godaddy.com/gdshop/ssl/ssl.asp Quote Link to comment Share on other sites More sharing options...
PeterFox Posted February 19, 2009 Share Posted February 19, 2009 The moral of the story: Use SSL... and pray that you are not the victim of some elaborate plan including a full scale assault on VeriSign. Side note: If someone broke sha1, I doubt it would remain a secret long, the innate human desire of acclaim would be paramount. Quote Link to comment Share on other sites More sharing options...
stingwray Posted February 19, 2009 Share Posted February 19, 2009 The moral of the story: Use SSL... and pray that you are not the victim of some elaborate plan including a full scale assault on VeriSign. Side note: If someone broke sha1, I doubt it would remain a secret long, the innate human desire of acclaim would be paramount. More so than this, educate your users about SSL given the latest MITM attack announced at Black Hat. Security is no good if the user doesn't know how or why to lock the door. Quote Link to comment Share on other sites More sharing options...
r4v37t Posted February 20, 2009 Author Share Posted February 20, 2009 http://www.godaddy.com/gdshop/ssl/ssl.asp That not free!!! :( Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 20, 2009 Share Posted February 20, 2009 That not free!!! :( It is very cheap One Two Three Quote Link to comment Share on other sites More sharing options...
digip Posted February 20, 2009 Share Posted February 20, 2009 That not free!!! :( $29.99/yr for Godaddy vs $400/yr on your own. I think the GoDaddy option is cheap, only, I don't care for any of their services to begin with, but the SSl one is worth having if you need SSl. Check with some other hosting companies and see if they offer SSL for free though. There might be a better deal somewhere, but I highly doubt any host throws it in for free. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 20, 2009 Share Posted February 20, 2009 $29.99/yr for Godaddy vs $400/yr on your own. I think the GoDaddy option is cheap, only, I don't care for any of their services to begin with, but the SSl one is worth having if you need SSl. Check with some other hosting companies and see if they offer SSL for free though. There might be a better deal somewhere, but I highly doubt any host throws it in for free. You don't have to buy your hosting with godaddy to use a SSL cert from them (unless they force you to), you can install a purchased SSL cert on any server you like. Quote Link to comment Share on other sites More sharing options...
r4v37t Posted February 25, 2009 Author Share Posted February 25, 2009 ough... My money not enough for it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.