secure login and user registration problems

[miklesw]

I am trying to secure a password in transit (post) and in database using encryption.

 

When posting i am using something similar to this:

http://marakana.com/blog/examples/php-implementing-secure-login-with-php-javascript-and-sessions-without-ssl.html

 

I have 2 problems.

 

1. how am I going to get the unencrypted password when a user is registering to store in the db.

2. how am I going to get the unencrypted password to use with crypt so i can compare it with the crypted password in the database..like this

 

      crypt($pass_entered_from_login,$crypted_pass)) == $crypted_pass

 

pls help

 

[rarebit]

So, basically the servers sends a special word, the client then concatenates this word to password and hash's it and sends it back. Once back the server does same and compares. Therefore you only need use the md5 function, that is if paj's js version conforms (not tried)...

 

However if eavesdropper can see one way, they can probably see both way's which makes it redundant. However, yes, it's a nice idea, yet encryption would be better than a hash. Crypt, even though it say's it encrypt's, actually only does a one way hash, without any decryption method...

[miklesw]

so if i understood correctly.. the php md5() function can decrypt the combination of the challenge and password?

 

is it possible to setup some form of free ssl?

 

[rarebit]

Q1. No. A one way hash cannot be decrypted!

Q2. Yes you can generate your own certifcates for free, but since there not from a recognised CA user's will be challenged to accept them. It's not hard to set up apache to handle https, whether it use's ssl or tls.

[miklesw]

one other thing.. is https always on?... say if i have a folder ..will any page in that folder use https? or can i use it on demand?

 

my problem is that i use a setup similar to this forum.. a main page index.php, with sections included depending on session and get.. this includes the login and reg pages.. i want to use https only when posting login and registration details to index.php

 

don't know if this makes sense..

 

[rarebit]

It should be set up so that if the address is 'https...' then it use's it else it doesn't. Therefore if a reg/login page and not https, then redirect, and vise-versa...

[miklesw]

I managed to setup ssl.. however i was wondering..

 

since yahoo.co.uk and this forum both use the js md5 hash method.. does that mean that they don't encrypt the password in their db?

 

if they send the password as an md5 hash with a random challenge you can't compare the results of crypt using the md5 hash.. right?

 

i was also wondering about the 2 way eavesdropping issue.. in theory..since its a hash and it can't be decrypted..  so 2 way eavesdropping shouldn't be an issue?