tags:

views:

1165

answers:

6
+2  Q: 

Secure login: public key encryption in PHP and Javascript

I'm trying to make a "normal" username/password login form secure, without needing HTTPS. My idea is this:

  • Server generates a keypair for some kind of assymetric encryption algorithm. It stores this keypair in a temporary table of sorts (or perhaps the local session data).
  • Server sends the form to the client and includes the public key.
  • User fills in the form.
  • Before it's sent to the server, Javascript encrypts the password using the given public key.
  • Form is sent.
  • Server decrypts the password with it's private key (which it gets from the temporary table, using the public key to find it).

What I need to know for this is:

  • Which encryption method is the best to use? RSA?
  • How can I decrypt the password in PHP?
  • And probably the most difficult one, how can I make Javascript encrypt the password?
A: 

This is a very good idea, and it's already been done. See jCryption.

Reinis I.  2009-10-06 20:47:16
+2  A: 

It looks like a lot of what you want to do is supplied by the jquery plugin JCryption. It even assumes PHP as the backend, so a good fit for you.

JacobM  2009-10-06 20:50:17
A: 

jCryption looks interesting, I've not seen it before.

But I have to ask what is wrong with SSL?

Encryption code is notoriously hard to do right, and you can bet that the SSL implementations found in browsers and http servers are much more rigorously tested and reviewed than the jCryption stuff.

That said, jCryption looks neat if you absolutely need to avoid SSL, and you're not dealing with super-sensitive information.

timdev  2009-10-06 21:24:26
Oh yes, SSL is great, except for one idiotic design decision they made: You need a certificate, and that costs money. If they had made it so that you can have encryption without the identity validation part, the encryption would have been used more often than not, and the net would have been more secure altogether.
Bart van Heukelom  2009-10-06 21:28:36
The identity validation is necessary so that the certificate can be signed. If it's not signed, clients have no way of knowing whether or not they're being presented with a bogus certificate. The argument that it "costs money" is pretty lame, given that a lot of hosting providers will often bundle a perfectly good SSL certificate, or provide it for a small additional fee. If you're serious about operating in an environment where you're expected to adhere to certain security standards, then you're going to have to accept there are going to be costs.
Rob  2009-10-06 21:35:35
You can always generate your own, self-signed, SSL Certificate. Of course, browsers have started making that even more scary for users than they used to. But I tend to agree that the cost argument is bogus. Programmer time to implement your way around paying for an SSL cert costs money too.
timdev  2009-10-06 21:43:06
See my comment to Rob's answer. Also, if SSL didn't need signed certificates, it would probably be standard. Secure sites would outnumber unsecure ones by far and even the smallest hobby site would be secure, providing the webserver/host defaults are set like that.
Bart van Heukelom  2009-10-06 21:47:39
To clarify Rob's comments: The encryption part is USELESS without the identity validation part. A solution such as the poster describes is trivially defeated by any attacker who has the capability to get between the client and server. It's called a "man in the middle" attack and the idea is very simple: Server generates key pair, sends public key.Attacker intercepts page, replaces public key with his own. Client encrypts password with attacker's public key and sends the response.Attacker decrypts password, encrypts it with server's public key and sends it to server.
swillden  2009-10-06 21:48:33
swillden is exactly right. If information is worth protecting, it's worth protecting well. "Iron-clad" encryption that can be defeated by man-in-the-middle just creates a dangerous false sense of security.
timdev  2009-10-06 22:11:56
I'm only trying to stop the script kiddies. It's simply not worth it to go all the way, and this is at least better than nothing. You really can't disagree with such simple logic ;)
Bart van Heukelom  2009-10-06 23:03:40
Trying to stop them from what, exactly?
timdev  2009-10-06 23:28:34
The number of people who are both smart and motivated enough to intercept your communications, but *not* smart and motivated enough to break your trivially-breakable scheme, must surely be vanishingly small.
caf  2009-10-06 23:43:37
You can always disagree with flawed logic, however. You seem to be labouring under the opinion that SSL incorporates certificates only as a means to make money for privileged companies. It's not; it's fundamental to the design goals of SSL. Of course, what you're after may well not be all those design goals, and that's fine, but you probably shouldn't tout that as "secure", because it's vulnerable to a fairly common type of attack, and I'm just concerned it may be misrepresented to other readers as a complete solution.
Rob  2009-10-07 20:59:54
+7  A: 

This doesn't seem that secure from the perspective of the client. Two (related) problems:

  1. How does the client trust the server? How can it verify that the key the sever's presenting is the one that belongs to it?
  2. It's possible to do man-in-the-middle attacks. A malicious proxy could strip out and store the public key before the client sees it, substituting its own, then decrypt the password when the client authenticates, store it, and re-encrypt and send the response on so the client doesn't realise something's up.

What's wrong with ordinary SSL? There has to be a consensus that it's secure, otherwise vendors and organisations would drop support for it overnight. By contrast, most attempts to invent a funky new way to do security "on the cheap" usually miss something fundamental.

Rob  2009-10-06 21:33:22
There is no way to check the server identity, that's true. But does it matter? A real SSL certificate is just not going to happen, and this is better than nothing...far better. SSL is like you can either put no lock on your door, or a fingerprint scanner. The regular lock with a metal key is unavailable.
Bart van Heukelom  2009-10-06 21:45:03
I would contend that it's *worse* than nothing, because it is giving you a completely false sense of security. A real SSL certificate can be had for $30 - is your data really worth less than $30?
caf  2009-10-06 23:41:22
+3  A: 

In advance: I'm sorry for being negative, however;

Implementing you're own security protocol is never a good idea, unless you're a highly trained security expert, or you actually don't really care about the security and only want to create an impression of security (marketing) and stop the script kiddies.

SSL is definitely not a fingerprint lock, as so say in your comments, JCryption and your proposal are equal to having a door where you can enter a two-digit code to open the door and you have infinite many retries. Its hard to break if you're not really interested and just passing by, but if you want to get in that house (and you probably do, else security wouldn't be needed), you will get in.

Another point is that people often forget to mention what they want to achieve. Security has the famous three components called CIA, namely confidentiality, integrity and availability. Is it for you important that the data you transport is confidential, or is integrity important (i.e. you're sure that the sent data comes from the one you expect and not the man in the middle)?

To make it concrete in this case, the only thing that you achieve here is that an passive attacker cannot see whats passing by on the line. As soon as your attacker gets active and changes the messages on their route, you're whole security falls apart. So my advice would be to just stick with the solution the experts have come up with (TLS in this case, not ssl since that is the old version of it) and just make sure you're server supports it.

edit:

Btw, SSL/TLS cannot work without certificates. The whole point in public key crypto is that there should be at least somewhere some trusted party.

On the other hand, if you don't care that you're users will get an "invalid certificate" message, you can just create you're own certificate which is really easy. In that case your certificate isn't trusted by the browsers, however, you can be sure that at least your communication is safe (okay, there are exceptions in this case, but still ...)

The argument that certificates should be for free is really from a perspective point of view. I think people who claim it is bogus/idiotic don't know what it takes to be a certification authority. These companies invest millions in order to keep the communication secure, and sure they make nice money out of selling certificates, but hey its their job and they also deserve to make money, just like any others.

edit2: after comments

I indeed say that you have a secure communication. However, you miss the point that with self signed certificates you dont know to whom you talk securely. Imagine a dark room which is completely isolated from eavesdropping a conversation. Now imagine the difference between such a room with and without light. If the room has light, you can actually see to whom you're talking securely and only choose to talk to people you like to trust. Now imagine doing the same in a completely dark room. You can only hope that the guy you talk to inside this dark room is just a ally and not your adversary. However, you cannot know that, just hope that its oke. And although your conversation itself is secure, nobody can listen in, you still dont have "full" security.

If I, being a crook, do a man-in-the-middle attack, I can create a self signed certificate without the user noticing. So the advantage of using tls with self signed certificates is that you have at least the implementation of the protocol corrent (and even implementing this is far from easy). Moreover you can avoid the ugly warnings by advising you're users to manually trust the certificate once. However, this is only possible if you have a relatively small group of returning visitors, for a public website this is not really a solution.

Henri  2009-10-06 22:09:16
You are very right when it concerns really sensitive stuff, like banking. I am, however, indeed only trying to stop the script kiddies here.
Bart van Heukelom  2009-10-06 23:00:19
Also, since you seem to actually propose self-signed certificates, why should there not be a system where this is possible without ugly warnings. After all, it is as you say: then "you can be sure that at least your communication is safe"
Bart van Heukelom  2009-10-06 23:02:24
Also (sorry for triple comment) +1 since while I happen to disagree, your post is well written.
Bart van Heukelom  2009-10-06 23:04:42
I welcome the fact that browsers are beginning to make a huge fuss over self-signed certificates. It means we might start to move away from those fuzzy days when users just saw an "Accept" button and clicked it, warnings be damned. At least if someone sees a big red page, panics and cancels the process, it's a security failsafe.
Rob  2009-10-07 21:01:42
I suppose you'd like to hear that I've since grown more experienced and now realise why encryption only would not be secure enough. We're now using real TLS for our login form. But, I still think certificateless encryption should be available and used by default (except where performance outweighs security) for all the hobbyist sites, even if it is weak, simply because it's better than nothing.
Bart van Heukelom  2010-09-22 08:46:57
Good to hear :)
Henri  2010-09-27 11:47:55
A: 

Livejournal does something similar to what you want where:

  1. Server generates a challenge string, inserts this into form. [1]
  2. Client generates response by MD5 hashing the password, then MD5 hashing the previous hash with the challenge prepended [2].
  3. Server gets response, checks challenge validity, then does same as step 2, comparing the result to the response.
Hasturkun  2009-10-07 00:40:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases