Comments on: Leveraging Zend_Auth for building your authentication

By: Kirsten

Kirsten — Thu, 23 Jul 2009 13:17:45 +0000

Hi Tom,

I found your details on linkedin.
I work as recruiter for Harvey nash and I’m looking for the moment a PHP developer with experience in the Zend framework.
The position in Brussels.
Are you intrested or do you know someone who can be intrested? Or is someone reading this that can be intrested

Best regards,
Met vriendelijke groetjes,
Bien à vous,

Kirsten
Kirsten.steurs@harveynash.com
02/463.34.29

By: Mike

Mike — Sat, 23 May 2009 20:31:43 +0000

Hi, nice posts there thank’s for the interesting information

By: Tom

Tom — Fri, 22 May 2009 12:46:02 +0000

Hi Lasse,

I totally forgot about your comment.

You are right when saying that with CHAP you achieve safe transportation of the password.
The design of the database and the encryption I used isn’t relevant to CHAP. I don’t see any security problem with using AES for 2-way encrypting the password in the database. Sure, if you have the key, you can decrypt it. If someone finds the key to your house, he can also easily open the door. It’s up to you to safely store the key.

I have stored that key in an XML file. Now I just have to make sure that the XML file is safe. A lot can be achieved via the .htaccess file and setting permissions of the directory correct.

When using CHAP, you could substitute the MD5 hashes for SHA256 hashes. These are indeed more secure. It’s up to you to decide what kind of hashing function you wish to use. I just gave you the idea of how things can be done

By: Lasse

Lasse — Fri, 22 May 2009 12:12:32 +0000

By: Lasse

Lasse — Sun, 17 May 2009 16:59:20 +0000

Yes, isn’t SHA512/256 considered the most secure hashing algorithm these days?

So to conclude; by using CHAP we achieve safe transportation of the password over an unencrypted http connection, but we also sacrifice safe storage of the password in the database? Or at least it is less safe than using hashing and a random salt for each password/user.

Agree?

By: Tom

Tom — Sun, 17 May 2009 08:24:11 +0000

Hi Lasse,

We could use hashing to obfuscate the passwords. But then if you want to authenticate a user via CHAP, the client would need to know the original salt in order to create the same hash from the password as the hash that is in the database.
It is fairly simple to decompile a flex project, and get the salt. That would make it easier for a hacker, because then he would only have to hack the database, and use the salt to + dictionary attack to figure out passwords.

If you decrypt it, the hacker can’t decompile the flex application. He will have to hack both the database server and webserver, making it more complex. But once he managed that, it would again be very easy for him to decipher the passwords, like you said.

On top of that, I just wanted to mention that the most used hashing algorithms (MD5 & SHA-1) were proven to be vulnerable. This doesn’t mean you can’t use it any more. But it’s probably a good idea to not use those any more for salting passwords.

By: Lasse

Lasse — Sat, 16 May 2009 13:00:51 +0000

Once again another great blog post, however I am curious to know why you chose to encrypt instead of hashing the password? – Why would you need to know the password to authenticate a flex user? Couldn’t you just use CHAP as explained in one of your previous posts? As I see it, the biggest problem using a hashing algorithm, is that when you don’t know the exact password coming from the user, you can’t salt the password and then hash. So if an attacker where to gain access to the users database, then a simple dictionary attack would get him the password.

But then again, if he does gain access to the database then he might also be able to get the encryption/decryption key, thus making it even easier to retrieve the password.

What are your thoughts?

By: Ordinary Jack » Blog Archive » Poly1305-AES

Ordinary Jack » Blog Archive » Poly1305-AES — Thu, 07 May 2009 22:37:44 +0000

[...] Tom's Blog » Leveraging Zend_Auth for building your authentication [...]