Re: Encryption Question

On 14 Mar, 20:07, "Bart Van der Donck" <b...@xxxxxxxxxx> wrote:
shimmyshack wrote:
On 14 Mar, 19:10, "Bart Van der Donck" <b...@xxxxxxxxxx> wrote:
Changing password:

- let user type the current password and his
new requested password,
encrypt both
- do something like: getnewpass.asp?
oldEncPW=gH4tGhKLNx&newEncPW=yHjke4c5Wu
- compare oldEncPW to stored string; if it matches, then
delete old string and store the new one

thus the man-in-the-middle would now know the password hash
being stored in the database.

Now he can request to login, and send
sha1( password_hash_he_sniffed + salt)
now despite not knowing the password the attacker gets in
from that point onward.

Yes, HTTPS should be added. See my reply to myself some minutes ago.
For the rest, my model should be secure if one uses a one-way
encryption in javascript, both for the authentication as for the
password change.

Of course, once HTTPS is there, one could send the password in
plaintext as well, and let the server application encrypt it before
storing it (which would be the more traditional authentication
scheme).

--
Bart

I did see your reply, don't worry :)
I am not sure that one way hashing is able to secure a password
change, obviously just because I cannot see your point doesnt mean you
are wrong, but if you can clarify how it is possible to send a hashed
password which the server doesnt already know and store /that/ hash in
a way that cannot be replayed I'd be interested. It would certainly
save some time for me, because I would not surrent use such a scheme
to send a change ;)
matt

.

Relevant Pages

  • Re: Column level encryption - IDS 10
    ... you can not store an encrypted number in only 4 bytes. ... Undermining that effect is last comment on slide 17 "do not normally encrypt 4-byte integer numbers", which can be taken as meaning 'you cannot encrypt 4-byte integers'. ... Ignoring blobs, you will store the encrypted data in a CHARcolumn; if you are dealing with blobs, you'll still store those in blob columns. ... If you are planning to encrypt a 4-byte integer, you need to realize that it will be converted by the ENCRYPT_XXX function into a string value - IDS is good at that. ...
    (comp.databases.informix)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.security)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: AES Symmetric Key Secure Storage
    ... a background service to encrypt and decrypt your key on the local system, ... But putting the encrypt/decrypt operation in a background service ... We want a secure location to store ... > the symmetric key on file or in the registry is not recommended. ...
    (microsoft.public.platformsdk.security)
  • Re: Need help decrypting
    ... so if it really is a password that is stored in an xml file and I ... encrypt that password file and store that result, ... > a string, you MUST use the same encoding you used to create the original ...
    (microsoft.public.dotnet.security)