I have a backboneJS application that communicate with a Restfull API write with Symfony2.
To authenticate the user, an HTTP header (WSSE) is sent to all queries.
The header looks like this:
X-WSSE:UsernameToken Username="foo#goo.com", PasswordDigest="clrGx4hSEyC3zdndd04/51yuee7Q=", Nonce="VURQQWQ0RTBMSGo4enBCN05GSjNuTGhsSjF3PQ==", Created="2014-05-09T15:11:06+02:00"
For generate the passwordDigest, I need to have the user password encrypted. For testing, I have put this password encrypted directly in my frontEnd.
So, for create a générique method and not sent the password encrypted on the network, I need to generate the same password encrypted in my front End.
The User try to connect:
User write is email
Application try to get the salt for this email
User write is password
Application created the same encrypted password that this base
Anyone know how to encrypt the password on the client side (in javascript), with the password (enter by the user) and the salt?
Thank's !
There are various libraries available for encryption on the client side. Forge is a library which implements a few message digest functions in JS, including SHA-1 which is what you seem to be using currently.
Related
I am using Instagram API by mgp25.
Here, you can gain access to the IG api via "logging in": the API (in php) requires a password and account id to be in plain text format when gaining the access.
Here is the setup that I have:
I have a site where there are users and the site has IG API integration. These users can input their Instagram User/Password (not the user info to log into the site) to gain access to the API.
However, these API only accepts plain text for password (since the password will then be verified within the IG server).
Problem:
The problem that I am having is the password security. Obviously I can't store the IG password as plain text, but if I hash them, it can't be used to login to the API either (as it is one-way only).
Methods:
I can only think of encrypting the password (not hashed) and decrypt them when needed. However, I can see a few issues with that approach as well.
I wanted to ask you guys what you guys think of the best way to address this issue.
(note. The official IG API has some limitation and are only allowing official business partners to have more functions which I need them. So the API by mgp25 is the only viable option at the moment).
You could require the password only once. The private API will save the cookies / session forever and you do not need to do a login again.
So this way you don't have to store passwords and, if for some reason the user is logged out, then you ask for password again. Does it make sense?
I'm integrating FOSOAuthServerBundle to handle login from an angular front-end.
I have made a client with grant-type password. So my request looks like:
/oauth/v2/token?client_id=[CLIENTID]&client_secret=[CLIENTSECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]
I think it's pretty safe because the client only has grant-type password. The only part that isn't safe, are the user credentials (username and password). They are sent plain to the backend and I want them encrypted.
How can i handle the hashed credentials in the FOSOAuthServerBundle?
I am developing an admin panel for the company I'm working at, and was wondering about something. I want to increase the experience for the employee. I want them to be able to connect to their email by entering the login credentials, and then read the emails inside the admin panel. What I need help with is this:
If I establish an imap_open connection, I need the password in plain text (as far as I know). I can't safely save the password in the database knowing that it would be a catastrophe if a hacker got their hands on the data.
Basically, I want to:
Create an imap_open connection with an ENCRYPTED password. Preferably as bcrypt.
Do any of you know how to do this? I've searched on google, and even seen some other questions on stackoverflow, but I can't seem to find an answer to the question. I would NEVER save the password as plain text. And just using a COOKIE or SESSION seems cumbersome.. for the admin to login to their email all the time, when all I want is for the email to load for the appropriate admin account when logged in.
If I'm understanding correctly, you want to:
store the user's password securely on their machine
use it to connect to the mail server
download email
Storing the user's password in plaintext is clearly a no-no. There are different ways you can handle this. The application could actually request the password from the user, which is an easy but not very convenient solution.
Usually passwords are stored using one-way hashing schemes such as SHA256 or bcrypt, but that means that you can only check whether a password matches them; you can't retrieve the password and send it elsewhere. So you have to turn to symmetric key encryption. You store the encrypted password somewhere (in a database), and when you need it you retrieve it, decrypt it, and send it over your IMAP connection. The problem with encryption is that it relies on a key, which may be compromised at some point, but hashing is not an option if you need to retrieve it.
The other thing to note is the risk in sending the password in cleartext. This is very much taken care of if your server uses SSL.
Yes, of course AUTHENTICATE PLAIN encodes a password. But servers which support admin access allow you to encode the admin's password along with the user's name so you can access the user's account.
$login_str = sprintf("%s\x00%s\x00%s", $user_name,$admin_name,$admin_pwd);
$login_str = encode_base64("$login_str", "");
When you use the encoded string in an AUTHENTICATE PLAIN login you are given access to the user's account. And you don't need the user's password.
If you do this with AUTH PLAIN...
sprintf("%s\x00%s\x00%s", $user_name,$user_name,$user_pwd);
Then you get access to the user's account. But supplying admin credentials seems to do what the OP wants to do without storing passwords.
If your IMAP server supports admin login via AUTHENTICATE PLAIN then you don't need the user's password to access his mailbox.
Many IMAP servers support this, for example Dovecot, CommuniGate, Zimbra, to name three off the top of my head.
I'm hoping for feedback on an authentication system I have designed.
The requirements are to create a closed, single sign on web environment, where by once one of our employees visit one of our web applications, they are asked to sign in with their credentials backed by our LDAP. Once signed in, they retain this login for a set time period, or the browser session, and across all our web applications. Much how Google's web properties work with a google account, but for our internal systems.
The users themselves operate from windows, mac or linux, and some from just tablets, so this authentication environment needs to exist solely online, kerberos with mod_auth_kerb etc aren't going to cut it.
All our current web applications use PHP.
The system I have so far works like below.
There exists one central authentication system, which I will call the Authentication Handler, or "handler" for short, and one or more authentication "client" web apps, which I will call Authentication Requestor, or "requestor" for short. I will call the user and their browser just "user".
Also, for it to work, the requestor needs to be preconfigured at the handler with a unique requestor_id and return URL for that ID.
A private key for handler is generated and a public key given to all requestors before hand too.
user visits requestor
user enters URL for requestor.
no session exists for this user on requestor, so requestor creates a new SESSION_ID in PHP (with the built in session handler and session_start).
the session has no authentication, so requestor will then generate a URL to the configured handler consisting of two parts, an authrequest token and an envelope.
requestor first regenerate a new session_id (session_regenerate_id in PHP) for this auth request for the client.
requestor then generates a random password, in this case using PHP's openssl_random_pseudo_bytes and stores this in the session data
requestor then encrypts the SESSION_ID using AES256 with the random password for the authrequest in PHP using openssl_encrypt.
requestor then generates envelope data by concatenating it's unique requestor_id, a ':', and the base64-encoded random password.
requestor's envelope data is then encrypted using the pre-shared public key for the handler using openssl_public_encrypt in PHP.
requestor then sends a location: header to user that contains the encrypted envelope and the authrequest as URL parameters to handler.
handler will decrypt the envelope using it's private key, and separate the clientID and password.
handler will check the requestor_id to see if we have this configured, if not, will inform the user that the requestor was not recognised.
handler will authenticate the user (in this case, via asking for username and password and checking against LDAP and/or via a preauthenticated session)
handler will then generate a return authtoken to requestor
handler will decrypt the SESSION_ID from authrequest using the decrypted and decoded password from the envelope
handler will encrypt a new string containing SESSION_ID and an ID of the logged in credentials (username, GUID, etc) with the decrypted and decoded password from the envelope
handler then sends a location: header to user that contains the authtoken as URL parameter to a preconfigured URL for this requestor_id.
requestor receives the request, and will decrypt the token using the password in the users session.
requestor will confirm the SESSION_ID matches the users current session, else it will restart authentication.
requestor can then use the returned crednetialID to identify a local user as authenticated.
This process can be repeated across different systems to give a single signon behaviour.
So, questions:
Does anyone know of a pre-existing, standardised authentication system that meets the requirements and preforms similarly to above?
If not, and given that I'm no security expert, is there anything above that would could be broken? i.e. what is/are the weak point(s) of this method?
You could use Kerberos: http://web.mit.edu/kerberos/www/
Or you implement an internal OpenID system: http://openid.net/
There are also several PHP libraries for OpenID: http://openid.net/developers/libraries/
Your base64 encoding of the password before encryption doesn't really make any sense (for me at least), as it is a function mostly used for serializing data that is to be communicated elsewhere. However, after the envelope is encrypted, you have binary data again, so what you might want to do is serialize the ciphertext.
Also, you might want to check out whether it is possible to do hashing of the credentials at the client-side (1000 times iterated and salted MD5 or SHA-* is fine). You could check out RFC2617 (HTTP Digest Access Authentication) for inspiration. This is to counter the passwords' vulnerability while decrypted at the server.
I'm developing a mail client in PHP for a customer, and they want the ability to handle all of their various email accounts from this single client.
The user should not have to type all passwords every time he wants to use the service, and thats my problem. Is there a way to retrieve and send mail through Gmail without entering the password to the mail account? Is there some other way? Or must I save the passwords in my database with some encryption and decrypt it with a "hidden" key?
https://developers.google.com/google-apps/gmail/ Read the OAuth section.
OAuth gives you a token, instead of a password. Even if the user changes his gmail password, said token would allow you to access his inbox and such.
As for Hotmail... i think no OAuth API is out there, sadly.
Read this just in case:
http://msdn.microsoft.com/en-us/library/live/hh826535
Authentication with the email server will need you pass the password, so you are right about the crypt and decrypt mechanism (a cipher) for storing it in the database of your application. That will prevent email passwords be readable if someone gets your data, but you will need to be carefoul in how application stores the key to decrypt. Here are some extensions in PHP for ciphers http://www.php.net/manual/en/refs.crypto.php