2

I am using a form with user and password fields in that I need to encrypt the password before sending the form to the server for validation. For that I am using md5.js for encryption on client side using the salt information.

test.php

<script LANGUAGE="Javascript" SRC="js/md5.js"></script>
<script>
    function encryptPwd1(strPwd, strSalt, strit) {
        var strNewSalt = new String(strSalt);
        if (strPwd == "" || strSalt == "")
        {
            return null;
        }
        var strEncPwd;
        var strPwdHash = MD5(strPwd);
        var strMerged = strNewSalt + strPwdHash;
        var strMerged1 = MD5(strMerged);
        return strMerged1;
    }
    function validateForm(strSalt, strit) {
        var strEncPwd = new String(encryptPwd1(document.getElementById("password").value, strSalt, strit));
        document.getElementById("password").value = strEncPwd;
        document.login.submit();
        return true;
    }
</script>
<form method="post" action="test1.php">
    <input type="hidden" 
           name="salt"
           id="salt"
           value="8qadr4xnCPW275BaNpYX">
    <label class="login">Password:</label>
    <input
        name="password"
        id="password"
        type="password" />
    <input type="submit"
        name="gos"
        id="gos"
        value="Login"
        onClick="return validateForm('8qadr4xnCPW275BaNpYX','38');">
</form>

This is the form which contains the client encryption using JavaScript and md5.js. I can successfully encrypt the message and send it to test1.php in that test1.php. I don't know how to decrypt the text please help me.

Palec
  • 12,743
  • 8
  • 69
  • 138
VPR
  • 77
  • 2
  • 3
  • 13
  • 1
    What you are talking about here is hashing, not encryption. Hashing is not meant to be reversible (even though MD5 is very insecure and it's possible to reverse it). You should be rehashing on the server side and comparing with the JS hash rather than trying to reverse it. – t j Jul 11 '14 at 00:53
  • Why don't you simply use md5 to decrypt it instead trying to reverse it or created md5 decryption – user2530266 Jul 11 '14 at 00:58
  • @orciny can any one guide me how to do that please. or any examples – VPR Jul 11 '14 at 01:01
  • Take a look at the PHP MD5 functions. http://php.net/manual/en/function.md5.php Although these days, they're not considered strong enough to hash passwords with. You should maybe look into a stronger algorithm using password_hash: http://au2.php.net/manual/en/function.password-hash.php – t j Jul 11 '14 at 01:07
  • @orciny this never shows how to do with client side give me an example so that i cant study well or tell how to decrypt the in test1.php – VPR Jul 11 '14 at 01:11
  • What are you trying to achieve using this “encryption”? Against what type of attack do you want to secure the password? Data is transferred to the server over HTTP. If you use plain HTTP, man in the middle can intercept the data and repeat the request any time in the future. When using HTTPS, data is secured during the transfer. But please, find someone who understands web application security well to talk to personally. Getting everything right is not easy and even a minor mistake can compromise the security of the application. – Palec Jul 11 '14 at 01:15
  • i am planning to get SSL but still i need to know how to do this for learning purpose – VPR Jul 11 '14 at 01:18
  • Please share the PHP code you're using to verify the hashed password. – Ja͢ck Jul 11 '14 at 01:24
  • $p=$_POST['password']; $s=$_POST['salt']; echo $p."
    ".$s."
    "; echo md5($p.$s); hashed value: 004aa3549f5a63c6e885b3b5ef986ba8 salt: 8qadr4xnCPW275BaNpYX and result : d1a799133948dd41bf344d08ab16a44c     – VPR Jul 11 '14 at 01:25
  • The thing about `md5()` is that it goes only one way; it's not encryption. The most you can do is verify that the password matches another one stored in a database of some sorts. – Ja͢ck Jul 11 '14 at 01:26
  • i just want to decrypt the text and see. Please tell me how to do that – VPR Jul 11 '14 at 01:27
  • Perhaps [this answer](http://stackoverflow.com/questions/10916284/how-to-encrypt-decrypt-data-in-php/10945097#10945097) will help you further. – Ja͢ck Jul 11 '14 at 01:29
  • i tried this before itself and its not working bro @Jack – VPR Jul 11 '14 at 01:32
  • Sorry, I meant [this answer](http://stackoverflow.com/questions/12457234/encrypt-in-javascript-decrypt-in-php-using-public-key-cryptography/12575951#12575951). – Ja͢ck Jul 11 '14 at 01:34

3 Answers3

3

Hang on a minute here.

This is just a bad idea (I can think of other adjectives here but will limit myself to BAD).

Anybody can read your page source with any browser, so what do I see if I do that....

  1. I now know that you are using MD5 to hash your passwords on your database (let's ignore how bad MD5 is for now)
  2. And lo and behold I also know the SALT that you are using!

Why not just give me your bank account number and PIN code, and for good measure the keys to your house and car!

I assume you don't have a boat or you would have drowned by now!

Don't try and do this in the browser, the only secure way is to use SSL.

reformed
  • 4,505
  • 11
  • 62
  • 88
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
  • i am just doing this for learning purpose can any one teach me how? – VPR Jul 11 '14 at 01:23
  • 1
    But my point is there is nothing to learn from what you are doing other than it is a very bad idea and has no place in any system. – RiggsFolly Jul 11 '14 at 01:35
2

You want to protect the plain text password from a "man in the middle", which is listening the network traffic. Unfortunately it is not possible to prevent this with client-side java-script, because the attacker can see the sent java-script as well and would also be able to simply remove this script from the request.

The only reliable way to protect the transfer of the password is using HTTPS with SSL encryption. This also only works because a secret is already shared (the certificates installed within your browser).

Client-side hashing can have it's purpose as well, but never replaces server-side hashing. You can transfer CPU power used for hashing to the client. On the server side you would have to hash again, but with fewer rounds.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
1

Password encryption is needed because of password trace will be stored in browser memory on your computer when you make submission. If a hacker get access to your computer, with a widely available tool, your stored data will be exposed.

The remedy for that is to make it harder for the hacker to get hold of your password...

There are two things to remember: 1) submit via form 2) submit via ajax

In both cased it is important that you control the character encoding of your submission and make sure your server character encoding is in synch with your application web page.

If you do not control the encoding, then your ajax call may end up with different set of encoding than your submission via form and hence your decoding will not be easy.

Once you have them under control then use code in what ever language you want to decode... however, you need to keep a reference of salt and stringit on server side.. and you need to randomly generate different set of strings on each page you provide for users.

one way to do it is by including them in form as hidden inputs.. but you need to remove the inputs on the fly from the form right before you allow the form to proceed with submission.

Masoud Salehi
  • 11
  • 1