Reputation: 65
Encrypting username and password using openssl_encrypt on client side?
I make API for PHP website and I need to send a login and user password in encrypted form. I chose the following method to decrypt:
$decrypted = openssl_decrypt($user_login, 'bf-ecb', $client_id);
Where $user_login is a string like a 'login:password'. The $client_id know my site and client application. Client is likely to be an application on iPhone. Are normal encryption algorithm I chose, and will not be any problems on the client side with the encoding of user name and password?
Upvotes: 2
Views: 591
Answers (1)
Reputation: 102246
Are normal encryption algorithm I chose, and will not be any problems on the client side with the encoding of user name and password?
You will probably need to use something like WebCrypto to ensure accepted and implemented encryption algorithms are available at the client. You may need to polyfill it.
In the bigger picture, you have two problems to contend with. First is the web security model. In the web security model, interception is a valid use case. Second is a breach of server security and the password list.
Interception
The first problem is due to the W3C's philosophy, and there's nothing you can do about the broken vision. The web security model's fundamental defects became acutely clear with Public Key Pinning with Overrides. The overrides accommodate the interception, and the web folks tried hard to downplay and coverup the behavior.
Your immediate defense is to place additional security controls like you are doing. That is, use encryption so the username and plain text password is not available to the interlopers. WebCrypto should help you so you don't need to polyfill it.
There's a latent problem, though. The interceptor can allow the encrypted username and password to pass, and then capture the cookie or token when its returned to the client. So you will need to guard the cookie too.
And the username, password and cookie will need to be protected from replay attacks. You don't want an attacker to grab the encrypted username and password, and then replay it at a later time to obtain an authenticated session. So it sounds like its going to need a salt or nonce, too.
Data Breach
The second problem can be remediated by following best practices of server side storage of passwords. For that, see OWASP's Password Storage Cheat Sheet and Secure Password Storage Threat Model
Upvotes: 1
Related Questions
- What is the difference between client-side and server-side programming?
- JavaScript string encryption and decryption?
- How to encrypt/decrypt data in php?
- Encrypting and decrypting a folder
- Two-way encryption: I need to store passwords that can be retrieved
- decrypt encrypted private key by password and openssl_decrypt
- AES - Encryption in Java and decryption in PHP
- encrypting/decrypting a password stored on a compact database