Login class

siarits-tc

I made a site on which I wanted a tad bit of security for the information involved. My solution seems decently solid, but I just wanted to find if there was a flaw that I had not seen.

To begin the process, the user navigates to a page with no links directed to it. This page isn't supposed to be used very often and by only one user, so I figured that not linking to the page would be my first security measure.

Next, the page gives a cookie to the browser involving a two part encrypted string. The first part is a randomly generated string and the second part is a set 'salt'.

When the user wants to login, they type in the encryption key and the salt. JavaScript is then used to decrypt the string, remove the salt, encrypt the remainder, and send it back to the server in a GET method.

From there, the server decrypts the cookie and the sent value and compares the two. If they are equal, the random string is added to the session register.

This login method is only meant for a single user, but is the simplest i could think of for proper authentication over an insecure connection. Please punch holes in this though. I would like to know it's potential flaws.

bradgrafelman

You're using HTTPS for this, right?

laserlight

bradgrafelman wrote:
You're using HTTPS for this, right?

Probably not, due to the phrase "proper authentication over an insecure connection".

I am inclined to say that given secure cryptographic primitives, this protocol does achieve "proper authentication over an insecure connection", but how are you going to pass the encryption key and the fixed salt value to the user? You may be better off just using SSL/TLS.

siarits-tc

it is for a single user. the two values you speak of are already known and static values in the php class. it will be more difficult to change them, but the information behind the login isn't important enough to justify ssl/tls.

/*
*	this class is for a simple cookie login function
*
*	All methods are static and can be accessed without instantiating the class. This class works
*	by first sending a cookie with an encrypted string to the browser. The browser then decrypts
*	the string, removes the salt, encrypts the remainder, and sends it back to the server with
*	the cookie. Finally the login() function is called to decrypt and test the strings for addition
*	to the session register.
*
*	--- Method list ---
*
*	static login()
*	static checkLoginStatus()
*	static setLoginCookie()
*	static genRandomString()
*	static salt()
*	static skey()
*
*/

include('DESCryptography.php');

class SimpleLogin {
	private static $salt='username';		// define the salt for the encrypted string
	private static $skey='password';		// define the key for encryption


// ---- DO NOT EDIT BELOW THIS LINE ---- //

public static function login($input) {

	/* --- login() ---
	* requires a browser cookie 'vuid'
	* input variable needs to be an encrypted string using the DESCryptography.php script
	*
	* returns true with successful login and false when not
	*
	*/

	$cookie = (isset($_COOKIE['vuid'])) ? $_COOKIE['vuid'] : '';

	$passphrase=str_replace(self::$salt,'',des(self::$skey,hexToString($cookie),0,0,null));
	$comp=des(self::$skey,hexToString($input),0,0,null);

	if(strcmp(trim($comp), trim($passphrase)) == 0){
		session_register($passphrase);
		return true;
	} else return false;
}
public static function checkLoginStatus() {

	/* --- checkLoginStatus() ---
	* This function checks for a cookie 'vuid', decrypts the string, removes the salt, and
	* checks the remainder for existence in the session register.
	*
	* Returns false with no cookie, true for registered session, and false for non-registered
	* session.
	*
	*/

	$cookie=(isset($_COOKIE['vuid'])) ? $_COOKIE['vuid'] : '';

	if($cookie){
		$passphrase=str_replace(self::$salt,'',des(self::$skey,hexToString($cookie),0,0,null));

		if(!session_is_registered($passphrase)) {
			return false;
		} else return true;
	} else return false;
}
public static function setLoginCookie() {

	/* --- setLoginCookie() ---
	* Creates an encrypted string with the key from a random string and the salt and sets it
	* in a cookie. This method may not work when used from this class.
	*
	*/

	$code=self::genRandomString();

	$message=$code.self::$salt;
	$cyphertext=hexToString(des(self::$skey,$message,1,0,null));
	setcookie('vuid',stringToHex($cyphertext));
}
public static function genRandomString() {

	/* --- genRandomString() ---
	* Generates a random string 'len' digits long.
	*
	*/

	$len=8;
	$chars='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
	$str='';
	for($i=0;$i<$len;$i++){
		$str.=$chars[mt_rand(0,strlen($chars))];
	}
	return $str;
}
public static function salt() {
	return self::$salt;
}
public static function skey() {
	return self::$skey;
}
}

laserlight

siarits-tc wrote:
it is for a single user. the two values you speak of are already known and static values in the php class.

Basically, you are saying that there is a secure channel by which this information is sent. If so, then in my opinion your protocol achieves "proper authentication over an insecure connection"

By the way, are you really using DES? It would make more sense to use AES.

siarits-tc

the salt and key will be physically given to the user once the site goes live.

ya i'm kinda new to cryptography and des was the first one I found scripts for in both php and javascript. how do I use aes and what is the difference?

laserlight

siarits-tc wrote:
how do I use aes and what is the difference?

AES is the successor to DES, and does indeed provide a greater margin of security these days, as far as the public knows.

siarits-tc

great. i'll look into it. thanks.