Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Colin McKinnon
March 11, 2005, 4:18 pm
rate this thread
I've reached the limits of my knowledge and was wondering if anyone out
there is better informed.
I'm trying to setup a system of secure encryption for exchanges between
browser and server WITHOUT using SSL. I have hashing (MD5) at both ends and
symmetric encryption (TEA). If anybody knows a SECURE asymmetric encryption
I have a reasonably secure logon system - server sends challenge and stores
MD5(challenge+password). Browser sends back MD5(challenge+password).
It occurred that if I could store the password at the browser end, I could
use it as the encryption key for future exchanges. But where to store it?
I could put it in a cookie, but that gets sent in the clear with each
If I put it in a secure cookie or a cookie with an obfusticated path it
wouldn't get sent back, but the browser can't read it either!
normally sent back to the server? (if so I can use this to encrypt the
password before storing it in the cookie)?
(I realise that an XSS vulnerability would expose the password, but I'm not
looking to do serious stuff like credit card details).
Re: Slightly OT: encryption
[Followup-to: comp.lang.php, comp.os.linux.security]
Colin McKinnon wrote:
I guess, two solutions:
another (static) frame; and then reuse that.
2. Use application like interface with XMLHttpRequest and div based
rendering container--so that the page won't get refreshed (so that you
rendering container. Last time when I checked Gmail, it used similar
In the world of 1's and 0's, there is no bulletproof solution. Also,
you may not be in a position to convince the end users about your two
way encryption solution when you're doing in http. (FWIW, IIRC, it is
quite illegal to get credit card details even over SSL on your site.)
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com /