Re: Encryption Question

From: "Richard Cornford" <Richard@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Mar 2007 22:21:26 -0000

Bart Van der Donck wrote:
<snip>

One-way encryption from client on beforehand is secure
to change the password on one Conditio, which is that
the user must know the previous (encrypted) password.

E.g. if one posts the following to newpass.php:
oldEncPW=gH4tGhKLNx
newEncPW=yHjke4c5Wu

Then compare the old (stored) string to the sent
'gH4tGhKLNx'. If it matches, replace it by 'yHjke4c5Wu'.
No encryption needed at server side, and safe if it goes
over HTTPS.

(One common alternative that comes to mind is to use a
cookie where the old password is stored, so the user doesn't
need to retype it when he requests to change it.)

Isn't the problem with sending the password in plain text over HTTP that someone may intercept the traffic and so acquire the password for later use in gaining access that they are not entitled to?

However, if a 'hash' of the password is sent in plain text over HTTP, and all the server knows is the 'hash' of the password, has the situation really changed? What is to stop someone who knows the 'hash' of the password inserting it into the appropriate location in an HTTP request (by any of numerous means, including the executing of alien javascript on the logon page)? Wouldn't the server recognise the intercepted 'hash' as easily as it may have recognised the original password?

The advantage of HTTPS is that someone intercepting the HTTP traffic is not going to find it easy to make any sense of what they observe.

Richard.

.

Follow-Ups:
- Re: Encryption Question
  - From: Bart Van der Donck
- Re: Encryption Question
  - From: shimmyshack

References:
- Encryption Question
  - From: eggie5@xxxxxxxxx
- Re: Encryption Question
  - From: David Dorward
- Re: Encryption Question
  - From: Bart Van der Donck
- Re: Encryption Question
  - From: eggie5@xxxxxxxxx
- Re: Encryption Question
  - From: Bart Van der Donck
- Re: Encryption Question
  - From: shimmyshack
- Re: Encryption Question
  - From: Bart Van der Donck
- Re: Encryption Question
  - From: shimmyshack
- Re: Encryption Question
  - From: Bart Van der Donck

Prev by Date: Re: add javascript on the fly
Next by Date: Re: Show and hide divs in FireFox
Previous by thread: Re: Encryption Question
Next by thread: Re: Encryption Question
Index(es):
- Date
- Thread

Relevant Pages

Re: Video conference via Webcam with audio ??
... transport protocol for encrypted communications. ... which details the port useage of application protocols like SIP, H323, ... They say they can use SIP, RTP with TLS encryption layers. ... >And the can only use http, and I need to encrypt the video/audio (SSL ...
(microsoft.public.windowsmedia.encoder)
Re: Encryption Question
... No encryption needed at server side, ... However, if a 'hash' of the password is sent in plain text over HTTP, and ... all the server knows is the 'hash' of the password, ... in the mysql database as SHA1 hash. ...
(comp.lang.javascript)
Re: SSL cert in ISA 2006
... protocol (HTTP, SMRP, POP3, IMAP, etc.) to provide session-level encryption. ... What is the purpose of SSL used in ISA for? ...
(microsoft.public.isa.configuration)
Re: Replication newbie question(s)
... I don't know about HTTP. ... Remember, I have avoided Internet ... a very stupid mistake when they decided to remove encryption of the ... Internet replication uses the mstrai40.exe ...
(microsoft.public.access.replication)
Re: Outlook & FTP Passwords
... Subject: Outlook & FTP Passwords ... POP3, FTP, and HTTP are plaintext protocols, including ... instead of HTTP, there's always HTTPS, which also uses SSL encryption. ...
(Security-Basics)