userAtuh – frontend to backend encryption
How many times did you check a web application of yours with a security auditing tool?
I can tell you that I did it a couple of times. And as usual it always hit me with the same warning: ‘the login information is sent in plain text to …php’, or something of sort.
And ignoring this warning is half as bad as having a sql injection vulnerability. Even if home users no longer are a part in a shared network thus sniffing is highly improbable, companies have LAN’s which would make a sniffing attack possible (if the sysadmin didn’t do his job). Throwing away all your security implementations, password enforcements…
SSL is the solution for this case but isn’t necesarily needed. Here comes in userAtuh. Yes it’s a typo, but who cares how it’s called as long as it does a great job?
UserAtuh is a php/js library used for serverside/client side password encryption, ment to mask the password sent by login forms. You can download it from it’s project page on SourceForge.
How does it work? Actually it’s quite straight forward, but I could better show it’s working by pointing out the key portions of code.
It all starts with the login form with has defined to the on submit event assigned to the setEncryption() function, which: hashes the password, joins it with the username and key and double hashes the result storing it in a hidden input field.
Upon form submision the only two values that are requested are the username and the result of the setEncryption() function. The rest is ignored. Forgot to mention that the setEncryption() function also changes the password from the input field with a substring of its result.
The authentification is done by the function with the same name from the KeyHandler object:
public function authenticate($name,$encodedPass,$sha1=true){
//get the last key that was generated for this
//session
$ip = getenv('REMOTE_ADDR');
$key = $this->_dba->getKeyFromDB($ip);
//check if a user exists with this name
if ($this->_dba->userExists($name)==false) return false;
//retrive the password for the user
$pass = $this->_dba->getPass($name);
//make sure password is hashed
if (!$sha1) $pass = sha1($pass);
//create a hashed string from the date collected
$encoded = sha1(sha1($pass.$name.$key));
//generate a new key, so the last key won't be usable
$this->generateKey();
//check the hashed string with the key sent by the
//client side
return ($encodedPass==$encoded);
}
Simple, easy, useful. It’s implementation can take at maximum a couple of minutes. Quick and painless, just as I like ‘em.
