NYCPHP Meetup

NYPHP.org

[nycphp-talk] security, sessions, and encryption

Jeff Siegel jsiegel1 at optonline.net
Tue Mar 16 10:23:34 EST 2004 

Re: No. 2. Correct! So if you've got a form for adding new site users, 
it would store their password in encrypted form.

Jeff

Aaron Fischer wrote:

> OK, so:
> 
> 1.  SSL protects the data from being sniffed out as it goes from the 
> form on the client machine to the server.  This seems to be the only 
> way, or at least the best way to prevent the data from being transmitted 
> in the clear?
> 2.  When you crypt their password to compare it to the one stored in the 
> database, and it's a one way encryption, that means that the password 
> stored in your database has been put in via crypt as well at some point, 
> correct?
> 
> -Aaron
> 
> On Mar 16, 2004, at 9:28 AM, Jeff Siegel wrote:
> 
>> For login purposes, I have people log in through SSL and have their 
>> passwords encrypted using "crypt." Crypt does a one-way encryption so 
>> you encrypt their password that they input on the form and compare it 
>> to what's stored in the database. (Basically no. 2 in your list.)
>>
>> If someone should somehow gain access to the database or some other 
>> catastrophe might occur, they'd see something like the following in 
>> your table's password field: LSoxL6eUJCUYg. (Of course, if someone 
>> gained access to your database...you've got bigger issues to handle.)
>>
>> Jeff Siegel
>>
>> Aaron Fischer wrote:
>>
>>> Hi all,
>>> I'm working up a little application that will require password 
>>> authentication to gain entry into the site.  The login page will 
>>> query the username/password information that is stored in a MySQL 
>>> table.  I plan on using sessions to enable the authorized user to 
>>> travel around the site and also to prevent an unauthorized user from 
>>> gaining access to the site.
>>> My main questions revolves around encryption.  The sources that I 
>>> have been referencing advocate for encrypting the password during the 
>>> authentication process.  However, I've been frustrated by how briefly 
>>> this topic is passed over in my books.  The little application that I 
>>> am working on now only has fairly low level security needs and 
>>> encryption may be overkill, but I have another project coming down 
>>> the line where the security needs will be greater, so I might as well 
>>> get started learning this stuff now!  Like, one question I have is, 
>>> why encrypt?  What am I preventing from happening?
>>> In general I am interested in what methods of securing an application 
>>> folks recommend.  I'd like to read up about general theories on 
>>> protection and types of misuse/attacks as well as learn about 
>>> specific methods of protection.  I'd also be interested in hearing 
>>> references for good books that deal with security (shameless plugs 
>>> are welcome).
>>> The two methods I have seen recommended so far are:
>>> 1.  MySQL encryption via "password" function:
>>> A preexisting script I inherited uses this method where the form 
>>> submission is encrypted in the SQL query statement.
>>>     "select * from tablename where name = '$_POST[name] and pass = 
>>> password('$_POST['password'])";
>>> So, the password is encrypted using MySQL's password encryption and 
>>> is compared to the encrypted version stored in the table.  However, 
>>> when I read the MySQL documentation, I came across these lines:
>>>     "Note: The PASSWORD() function is used by the authentication 
>>> system in MySQL Server, you should NOT use it in your own 
>>> applications. For that purpose, use MD5() or SHA1() instead. Also see 
>>> RFC-2195 for more information about handling passwords and 
>>> authentication securely in your application."
>>> So, it seems that this method is a no-no.
>>> 2.  Encrypt using php, which can use the available encryption methods 
>>> which are available on the server operating system.  In the book that 
>>> recommends using crypt() my issue is that it doesn't explain how it 
>>> is working or what's going on behind the scenes and I haven't been 
>>> able to find good documentation online that will help me either.  The 
>>> crypt() code line in the book is:
>>>     "if ( (crypt($password, $result[password])) == $result[password]) 
>>> {  // start session
>>> I'd appreciate any feedback on the afore-mentioned methods, as well 
>>> as book or online resource references.
>>> Cheers,
>>> -Aaron
> 
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>

More information about the talk mailing list