Jump to content

PHP Encrypt Security

r4v37t

By r4v37t
in Security

 Share

Recommended Posts

Sparda Newbie

Sparda

Posted
Posted
If using Javascript to encrypt it before sending, and someone is sniffing the data capturing the encrypted payload plus the javascript itself that encrypted it, wouldn't it be easy to script a decrypt from the payload and original encrypt script?

That depends. If a challenge response is not used and you use md5 (for example) it is vulnerable to repeat attacks but prevents the attacker from seeing the actual password used (not that this matters since they only need to know the encrypted stuff in order to authenticate as them).

If a challenge response is used you can't use md5 as you need to be able to reveres to encryption process. In which case the attacker has to capture the challenge and the response and they already know the algorithm so it's no effot at all to get the actual password used back.

The non-challenge response method is only slightly more secure for the user as the attacker doesn't know what the actual password used was. So this would prevent them from trying the same password on other sites they already know the same user uses.

Link to comment
Share on other sites
aeturnus Newbie

aeturnus

Posted
Posted
If using Javascript to encrypt it before sending, and someone is sniffing the data capturing the encrypted payload plus the javascript itself that encrypted it, wouldn't it be easy to script a decrypt from the payload and original encrypt script?

I have this odd feeling that you've never read the details of how a DHE exchange works.

And Sparda,

That's true, you'd have to distribute the certificate to every user that you'd want to use the site. The OP didn't make any mention of how many users he expected. I know that for my work, the "trusted" CA's aren't trusted enough, and we have to use a method of distribution similar to what is described here (although, we don't play around with doing it in Javascript and PHP, we use industry standards for the negotiation of the protocol).

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted

Forgot to say:

If a public/private key system is used, the attacker has to intercept the transmission of the public key and replace it with his own. This is what happens when SSL is MITM'ed, except, as previously stated, you tell when you are been MITM'ed with SSL as the CA's signature will not be recognised by the browser (unless a evil person managed to convince a CA to create a certificate for a domain he does not own).

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
I have this odd feeling that you've never read the details of how a DHE exchange works.

This is True. I was not 100% sure about what it encrypted after the initial authentication. I was thinking it was more for secure authentication into a domain. I stand corrected.

Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Link to comment
Share on other sites
stingwray Newbie

stingwray

Posted
Posted

I think I've solved this problem, with key exchange using no asymmetric crypto and both user and server authenticating to each other.

I'll post more a little later, as I'm just stamping out a POC and will upload it to my server for people to play with, as well as release the source. I've just got to verify somethings and increase the security a little more.

EDIT: also to make this clear, I'm not guaranteeing this in anyway against to be equally as secure as SSL, and will be looking for feedback, but I believe it has promise.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
I have this odd feeling that you've never read the details of how a DHE exchange works.

This is vulnerable to been intercepted, the attacker pretending to be the client to the server, then turning around and pretending to be the server to the client. Only a passive attacker would not be able to intercept this.

Link to comment
Share on other sites
aeturnus Newbie

aeturnus

Posted
Posted
This is vulnerable to been intercepted, the attacker pretending to be the client to the server, then turning around and pretending to be the server to the client. Only a passive attacker would not be able to intercept this.

Well sure, you can intercept it, that's why no one uses DHE by itself, but follows it up with RSA certificates. I'm not quite sure how a passive attacker could not intercept this sort of traffic, but that's neither here nor there. I'm sure it depends on how you define passive and across what medium the exchange takes place.

Nonetheless, if you're interested in this topic, I'd really recommend the books I listed earlier ( Applied Cryptography, Handbook of Applied Cryptography ) as they both cover the topic pretty well ( I have my biases and reservations for both, but either should suffice). Or the O'Reilly book called...something like, "Network Security with OpenSSL", covers the topics rather briefly but has useful code examples if you're wanting to roll your own SSL solution.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
Well sure, you can intercept it, that's why no one uses DHE by itself, but follows it up with RSA certificates. I'm not quite sure how a passive attacker could not intercept this sort of traffic, but that's neither here nor there.

I'm not sure what 'RSA certificates' refers to.

A passive attacker (that is some one who is listening) cannot decipher the key generated by a (properly implemented) DHE despite seeing all communication. So, if you where communication with a medium that could be listen to but not intercepted (the Internet does not meet this criteria) you could reliably use DHE for generating a session key. For example, if you had a long distance radio communication system, any one could listen to it but it would be very difficult to intercept.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

I think the only viable option is https communication (SSlv3, TLS, etc) or you don't really have secure communcations between your site and users.

Link to comment
Share on other sites
aeturnus Newbie

aeturnus

Posted
Posted
I'm not sure what 'RSA certificates' refers to.

A passive attacker (that is some one who is listening) cannot decipher the key generated by a (properly implemented) DHE despite seeing all communication. So, if you where communication with a medium that could be listen to but not intercepted (the Internet does not meet this criteria) you could reliably use DHE for generating a session key. For example, if you had a long distance radio communication system, any one could listen to it but it would be very difficult to intercept.

I apologize if English is not your first language; it's not mine either. But it's very difficult to understand what you're trying to say with improper words being used and terrible grammar.

Again though, I think we're on the same page, generally, we just disagree over the terms.

How about I combine it with java applet?

Can it secure my website?

Sure. That would be a similar case. It would be easier to do this via HTTPS, but if you're gung-ho for Java* solutions: go for it, it's possible.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
Sure. That would be a similar case. It would be easier to do this via HTTPS, but if you're gung-ho for Java* solutions: go for it, it's possible.

I can't see how it is any more possible to create a secure connection without prior communication using a compiled programming language than a scripting language. They both have the same problem that the client is unable to verify that what the server sends them is what the server claims them to be.

Link to comment
Share on other sites
stingwray Newbie

stingwray

Posted
Posted
I know that nothing is secure, but now I just want to know how PHP can encrypt the POST data before its send to server.

I need help, if you are can help me please send me link or anything that can make me learn how PHP can do that.

Thanks.

It can't, PHP is server side only, you'll need a client-side technology like Javascript to perform encryption on the computer before sending to the sever.

Link to comment
Share on other sites
PeterFox Newbie

PeterFox

Posted
Posted

The moral of the story: Use SSL...

and pray that you are not the victim of some elaborate plan including a full scale assault on VeriSign.

Side note: If someone broke sha1, I doubt it would remain a secret long, the innate human desire of acclaim would be paramount.

Link to comment
Share on other sites
stingwray Newbie

stingwray

Posted
Posted
The moral of the story: Use SSL...

and pray that you are not the victim of some elaborate plan including a full scale assault on VeriSign.

Side note: If someone broke sha1, I doubt it would remain a secret long, the innate human desire of acclaim would be paramount.

More so than this, educate your users about SSL given the latest MITM attack announced at Black Hat.

Security is no good if the user doesn't know how or why to lock the door.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
That not free!!! :(

$29.99/yr for Godaddy vs $400/yr on your own. I think the GoDaddy option is cheap, only, I don't care for any of their services to begin with, but the SSl one is worth having if you need SSl. Check with some other hosting companies and see if they offer SSL for free though. There might be a better deal somewhere, but I highly doubt any host throws it in for free.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
$29.99/yr for Godaddy vs $400/yr on your own. I think the GoDaddy option is cheap, only, I don't care for any of their services to begin with, but the SSl one is worth having if you need SSl. Check with some other hosting companies and see if they offer SSL for free though. There might be a better deal somewhere, but I highly doubt any host throws it in for free.

You don't have to buy your hosting with godaddy to use a SSL cert from them (unless they force you to), you can install a purchased SSL cert on any server you like.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...