Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
openssl question
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bentjensen
n00b
n00b


Joined: 13 Jan 2011
Posts: 2

PostPosted: Thu Jan 13, 2011 2:52 am    Post subject: openssl question Reply with quote

I am new to this forum, so please bear with me.

I have made a web page with a login screen. The user logs in to my Linux server. I need to encrypt the password being sent to the server. I am using javascript to encrypt the password:

rijndaelEncrypt(plaintext,key, mode)); with a 16 byte key and CBC mode.

On the linux server I can't use javascript, but would liketo use openssl. Does anyone know how I can make openssl decrypt the password coming from the client? I can't find out how to handle the key. Looks like I can use rand to generate a 16 byte number that I can send to the client, but I can't figure out what the line command must look like to decrypt the ciphertext.

thanks
Ben
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15991

PostPosted: Thu Jan 13, 2011 3:01 am    Post subject: Reply with quote

Why do you need to decrypt the password on the server? That would only be useful if you stored a plaintext copy of the password, which is extremely bad practice.

If this is just to protect access to an authenticated area, consider using the web server's natural ability to solicit user credentials, rather than using a form with JavaScript. This will make it easier to use automated agents with the server.
Back to top
View user's profile Send private message
phajdan.jr
Retired Dev
Retired Dev


Joined: 23 Mar 2006
Posts: 1777
Location: Poland

PostPosted: Thu Jan 13, 2011 6:53 am    Post subject: Re: openssl question Reply with quote

bentjensen wrote:
rijndaelEncrypt(plaintext,key, mode)); with a 16 byte key and CBC mode.


Rijndael (AES) is a symmetric cipher. The JavaScript code that does the encryption has to know the key. Also, the browser must have all that code and info to actually perform the encryption, so it is known to the attacker (especially the key). When the attacker knows the key, this encryption becomes useless.

I suggest just using https instead of that.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
bentjensen
n00b
n00b


Joined: 13 Jan 2011
Posts: 2

PostPosted: Thu Jan 13, 2011 3:40 pm    Post subject: Re: openssl question Reply with quote

The idea was to prevent snooping the password off the net and not to require https. However, you are right https does the job, and it is no big deal.

thanks for the replies
Ben
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum