Web/php Security

Welcome to Crypto. We hope you enjoy your visit.

You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.

Join our community!

If you're already a member please log in to your account to access all of our features:

Pages:
1
2

Web/php Security
Topic Started: Oct 25 2005, 05:02 PM (593 Views)
insecure	Oct 26 2005, 04:51 PM Post #16
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	Ah, thank you. So I use h t t p s : / / w w w . f o o . o r g / b a r / b a z . p h p to get Al Ice to log on, and then as long as I don't send her to h t t p I'm fine. That's good. Shame 'bout the crumbs, but I grok the point. By the way, if you say w as the first sound in, say, 'walk', then I can claim that I have used very small words as Don (!) asked us to. In fact, each word has just one syllable. Oh rats.



Donald	Oct 26 2005, 04:55 PM Post #17
Elite member Posts: 454 Group: Trusted Member Member #8 Joined: September 2, 2005	"Insecure" each word has just one syllable. Oh rats.



cows	Nov 8 2005, 04:15 PM Post #18
Advanced Member Posts: 91 Group: New Members Member #20 Joined: October 10, 2005	"donald So Alice sends her number to Bob. Eve intercepts, and replaces it with her own number, and sends it on to Bob. Bob sends back his reply, not realizing that he's actually establishing a secure chanel with EVE, not Alice. Eve keeps the key she's developed with Bob, and sends back a reply to Alice, based on the number Alice sent earlier, and now Eve has established different secure channels with both Alice and Bob. Anything Alice sends, Eve intercepts, reads it with her Alice key, and then re-encrypts it with the BOB key and sends it on. When Bob sends replies, Eve decrypts with the Bob key, reads it, then re-encrypts with the Alice key and sends it on. O.K. now correct me if I am wrong but is this not what PGP (Pretty Good Privacy) compensates for. First of all - Alice makes the message. Then she takes her PRIVATE key and encrypts the message with it. Then she finds Bob's PUBLIC key and encrypts the resulting text with that. Then she sends it to Bob. Bob uses his PRIVATE key to decrypt the message, and then finds Alice's PUBLIC key to decrypt the resulting message. Leaving Bob with the resulting text. This adds no extra security, as if Eve did manage to somehow work out Bob's private key, all Eve would need to do is find Alice's Public key and she would have the actual message. What it does do though - is prove that the original sender was Alice. As the message was first encrypted by Alice with her Private key and, as nobody SHOULD know her Private key, then it proves that Alice sent the message and that Eve has not written it, pretending to be Alice. This system was built to protect banks and the like as people could have sent emails to banks asking the managers to transfer all of their money to a secret account in the bahamas, but with the sender encrypting it with their Private key, it gives the email a signature that proves it to be sent by the actual account holder, Not Eve thinking that she would be clever and steal Alice's money. Also in comment to the MD5 encrypt/ decrypt thing that was going on earlier in this topic - a programme (i'll let you judge if it's good or not) is available here. The programme is called Cain and Abel (like the biblical story, but not quite). It has a hash section where you can encrypt/ decrypt MD5/4/3/2/1 and many other types of hash. If any of you have kids that are computer smart - I would password it, as it is also available as a hacking tool and if you go onto a certain section of it - it will find all the passwords to things such as your internet connection, and account passwords (i think) and will show you them. I also think that it looks for the passwords that are saved onto the computer (such as email, ebay, amazon, whatever else you might use) and show you them too. I am not advertising this as a hacking tool but if you wish your passwords to remain safe - keep it hidden. Maybe like in a folder, hidden deep in your system 32 files called coookies - so that it looks real and prevents MOST kids from looking around in it. He he - not me
	Everything is possible, The impossible just takes longer If we do not know what a particle is doing then it is allowed t do everything possible simultaneously. "Anyone who can contemplate Quantum Mechanics without getting dizzy, didn't understand it."


fermineutron	Oct 29 2006, 04:26 AM Post #19
Just registered Posts: 2 Group: New Members Member #99 Joined: October 29, 2006	How abot this: User signs up at the site, providing user name and password, which are sent to server encrypted with some simple encryption during the sign up. Server generates a random prime number X plus it generates a prime number from username+password combo, Y. Both are stored on the server. when the user tries to login the server sends to the user the product of 2 primes, XY, when the user enteres the username and password, a java script generates from those the same prime number Y as was generated by the server, divides the number that server sent to the user by the server to get X, which is the encryption key. then javascrypt encrypts password using X and sends to the server, where server decrypts it also using X. Assuming adversary was not present during the signup process, all that he can intercept is XY and as we all know, factoring product of large primes is hard. Its basically the same idea is behind PGPs assimetric keys, just the keys do not need to be stored on users pc. I just realized that for the server to know which X*Y to sent it will have to know the user name, so authentication would have to be done in 2 steps, the 1st being the username being sent to the server in unencrypted form. Probably this can be automated with some clever java script.



insecure	Oct 30 2006, 07:33 AM Post #20
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	fermineutron Oct 29 2006, 04:26 AM I just realized that for the server to know which X*Y to sent it will have to know the user name, so authentication would have to be done in 2 steps, the 1st being the username being sent to the server in unencrypted form. Probably this can be automated with some clever java script. If you authenticate the userid separately, you can clue the attacker in to the successful use of a userid, at which point he can focus his efforts entirely on the password. If you wait until you have both the userid and the password before authenticating either, you make the attacker's job much more difficult.



oblivion	Oct 30 2006, 11:14 PM Post #21
Oblivious Posts: 43 Group: Members Member #55 Joined: June 21, 2006	And remember to avoid giving useful information away to the hacker. Like "Wrong password" or "Username does not exist". "Access denied" is a sufficient error message for all versions of a faulty login.
	The following statement is true. The previous statment is false.


insecure	Jan 11 2007, 12:50 PM Post #22
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	If you're going to display the message "Access Denied", it should be in capital letters, red, about two inches high, and the rest of the screen should be entirely black. The message should flash on and off, and there should be a klaxon-type sound effect. For additional marks, link it to the vertical-sliding-door closing mechanism, so that the 24" plated steel door starts to close after the third failed access attempt. Note that the door should close slowly enough that a true hero can not notice it until it's half-closed, and yet have time to dive under it, stop, come back to retrieve his hat, and still manage to get out unscathed.



1 user reading this topic (1 Guest and 0 Anonymous)


« Previous Topic · General · Next Topic »

Pages:
1
2