0

Situation:

I have two systems, a Java-API requiring user/password checking credentials against LDAP and a frontend for that API written in PHP. The frontend probably needs to store the user/password combination in a session.

Suggestion:

I would use a block cipher implementation like Zend\Crypt (<2.5) [1] with AES and use simple PHP sessions (probably file based).

Question:

1.) Is encryption of the password the only choice?

2.) What encryption/mode would you suggest regarding a good compromise between safety and speed

Password hashing is NOT an option because the API requires the plain password.

[1] https://framework.zend.com/manual/2.4/en/modules/zend.crypt.block-cipher.html

MonkeyMonkey
  • 826
  • 1
  • 6
  • 19
  • 1
    a better alternative is to use oauth2 instead of the username/password pair. sending username/password in every request even if encrypted causes security issues – Lamine K Oct 17 '16 at 15:11
  • you dont need original password, just hash – Marek Janoud Oct 17 '16 at 15:12
  • Also you can use JSON Web Token - https://github.com/tymondesigns/jwt-auth – xpuc7o Oct 17 '16 at 15:14
  • 1
    I can't just hash the password, because the last chain requires the plain password. – MonkeyMonkey Oct 18 '16 at 08:28
  • Do you have any choice here to use something other than a plaintext password? Get an LDAP token or something? Or must your frontend hold onto the plaintext password to use the backend (in which case: what a terrible backend)? – deceze Oct 18 '16 at 09:00

0 Answers0