Now I am getting password user typed as string in model, I want to encrypt the password before on submit and set in model then I need to decrypt the encrypted password in server side?
You can use https://github.com/brix/crypto-js to encrypt your password on the client side and then use the same crypto algorithms at the server side with Java to decrypt it.
But I don't see why you need to do this yourself. Just use HTTPS and there is no need of such manual work.
Related
When connecting to GitHub using HTTPS they will obviously want to verify me by asking for my password. I enter my password, it checks out, and then they allow me to write to my repo.
With SSH keys setup, I create a public_key and a private_key pair. The way I understand it, the public_key I use to encrypt and the private_key I used to decrypt.
I then keep the private_key on my machine and share it with no one. I then go to GitHub and paste in my public_key.
How do they then authorize me? Do they use my public_key to encrypt a message and then wait for me to send back the decrypted messsage? If they get back the message decrypted properly, then they know its me?
Do they use my public_key to encrypt a message and then wait for me to send back the decrypted message?
Rather the other way around. You (your local SSH client) encrypt something using your private key. And if they are able to decrypt it using the public key you gave them, it must be you.
Obviously this is a very simplified explanation.
For details, see
How does asymmetric encryption work?
How does ssh public key authentication work?
I am developing an app which uses several API services, the API requires that I provide username and password for API transactions, unfortunately no API token :-( in-order to automate I need to store username passwords somewhere, preferably database, I cannot use hashing because I need to send the username/password to authenticate and process API request, hence I am wondering how to go about it.
If I use Zend\Crypt to encrypt and store the password in database and decrypt whenever required, would this be enough for security? is there something else I must consider?
Looking for pointers.
PS: I am using ZendFramework2 with Doctrine/MySQL for the app.
Usually you would use a token mechanism (like OAuth). If that's not possible, one would use TLS/SSL client authentication.
However, if you rely on plain passwords (on the application-level, I still guess the username/password tupel is transmitted over a secure connection!) and you want to store them encrypted, you have to think of a meaningful mechanism to get an encryption key for your scenario. Just generating an encryption key and storing it on the same machine in plain does not provide more security.
Without more information on your scenario it is hard to make a suitable suggestion.
I was going through the protocols that are used in email applications (specifically POP and APOP) and I happened to come across this answer somewhere. It says
Short for Authenticated Post Office Protocol, it is similar to the POP protocol except that APOP enables your password to be encrypted while being transmitted over the network. Using POP mail, when you authenticate your username and password in your e-mail client, your password is sent over the network in plain text. If your e-mail client uses APOP, then the password is encrypted while being transmitted. APOP prevents hackers from seeing your password information with sniffer programs.
My question is :Is that the major difference between APOP and POP? Is the password not encrypted when POP protocol is used? If not, will it not cause security concerns?
APOP is just new a command added to the standard POP3, which does not transfer the password in plain (e.g. with USER and PASS commands) but digest based. Later better authorization was added with the AUTH command, similar to how it is done with SMTP and IMAP. All these ways to not use encrypted passwords, but at most hashed passwords which often required the POP3 server to know the cleartext password to verify the send password.
Better is to use POP3 with TLS, e.g. either starting with a TLS connection (POP3s) or upgrading an existing connection with the STARTTLS command before doing the authentication.
The standard practice is to use HTTPs(ssl) when connecting to an email server. This will secure the POP protocol.
This a pretty basic question. Let's say I have this iPhone/iPad app that, at some point, gives the user the option to login. The username/pw are stored on the server's database.
What is the best way to communicate with the server to check if the username/pw are correct. How can I safely send & receive these requests via HTTP (without sending the plain pw)? What encryption/decryption should I use (both in-app and serverside)?
Just use SSL (i.e. https). Whatever you do, don't roll your own crypto!
if you dont want to send the password plain text,
you should use md5 hash (there is built in function in iphone)
encrypt the password with md5 function and send it to the server.
if the server DB has the password in plain text, he can also make md5 hash
and compare it with the one he received from the client.
you can also use this method to encrypt you're username.
Consider the following interaction:
A user stores their username and password on a web server. For the sake of security, the server records a hash of the password plus some unique salt.
While the user is using a client application, it makes a request to the server submitting their username and a hash of the password plus some other unique salt.
So you have the following information on the server and need to know whether or not the request is authentic:
The server's salt
The server's hashed password
The client's salt
The client's hashed password
Again ... client sends: clientSalt + MD5(clientSalt + password). Server has serverSalt + MD5(serverSalt + password). I don't want to know the password, I just want to know if the hashes were calculated from the same password.
Without knowing the password that was hashed, is there any way to verify that both hashes are of the same password?
My goal is to allow some form of secure authentication in a client-server environment without ever exchanging the actual password over the wire. This is just one idea I've had, but I don't even know if it's possible.
That would require unhashing the password, which is not possible. If the server receives: salt, md5sum, it can't see what went into the md5sum.
A challenge-response protocol would work instead. The server should generate a random value nonce and send it to the client. The client calculates md5(md5(password) | nonce)) and returns it to the server. The server verifies by checking md5(storedpassword | nonce).
No, you can't do this.
Once you add a salt into the mix it becomes practically impossible to compare hashes. (To do so would require "un-hashing" those hashes somehow before comparing the "un-hashed" data.)
Challenge-response authentication is probably the way to go, possibly using Kerberos, depending on your tradeoffs. One of the tradeoffs being the possibility for attackers controlling the clients to use compromised hashes to authenticate themselves.
Don't invent your own cryptographic protocols. Use one that is well-known and well tested. If possible, use an existing (vetted) implementation.
My goal is to allow some form of secure authentication in a client-server environment without ever exchanging the actual password over the wire. This is just one idea I've had, but I don't even know if it's possible.
For this, I advise looking into Kerberos: Official Site and Wikipedia
It's impossible. If you don't store password on the server, user must provide it.
OR
If you store password on the server, user can provide hash calculated using requested salt.
You will not be able to verify the hash with this setup.
If you don't want someone to see the password go over the wire, SSL is the easier way.
If you don't want to use SSL, you could check out SRP.
Additionnally: don't use MD5+Salt to store your password, use key strengthening functions like bcrypt or scrypt.