[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Checking user-id's and paswords



It would be neat it perl's crypt() could decrypt things. But it can't
(it's strength it that it's a one-way scheme...there is no way to read
the plain-text, one can only compare two encrypted strings and thus know
if the two underlying plaintexts were the same). 

Even public-key doesn't seem safe...the whole problem is that anyone who
sniffs packets sees everything that gets sent, in whatever for it's sent.
So even if the cgi script only looks at encrypted strings, it has no idea
if that string of gibberish came from your JavaScripted page, or from
someone who spied on the results of that page. 

Perhaps using one-time keys would work? Every time the page is sent, a
random encryption key is generated and embedded in the JS. Then a hidden
field is added with a serial number. The server stores the serial#:key
pairs. When the page gets submitted, the script looks up the key, decrypts
the submission, and then marks the serial# as 'used'. That way even if
someone sat down at the exact same machine and resubmitted the exact same
form that some moron forgot to clear from cache, it wouldn't work. 

dan

Strider said:
: 
: Write the crypt() routine in Javascript or Java, and have it submit an
: encrypted password to be decrypted with perl's crypt() routine, or
: 
: Use a DES routine (similarly constructed) and then use DES.pl to get the
: password back out.

-- 
Daniel Macks
dmacks@a.chem.upenn.edu
dmacks@netspace.org
http://www.netspace.org/~dmacks

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch