Re: [Lam-public] mcrypt and mhash
Brought to you by:
gruberroland
Menu
▾
▴
Re: [Lam-public] mcrypt and mhash
|
From: Farkas L. <lf...@bn...> - 2003-11-20 12:46:48
|
hi, first of all I just would like to help, but I still not understand... Roland Gruber wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Farkas, > > Farkas Levente wrote: > |> We haven't found a solution to encrypt passwords without > |> mcrypt. If you have an idea how to do this I would be very > |> glad to hear it. > | > | > | in php by default (in strings) there are the following fuctions: > | crypt, md5, sha1, crc32 > > I will change the code so that at least MD5 and SHA1 will work for > password hashes. However, sha1 needs PHP 4.3. > > | so I just would like to mcrypt and mhash are realy important or is it > | possible to make them optional? > > MHash is needed for SSHA passwords which should be the most secure > password hash for LDAP at the moment. can be done as optional? > MCrypt is needed to protect your password against other users as we need > to store this in the session. > Storing the password in a cookie is not an option. The cookies can be > sniffed easily. We had to enforce cookies via SSL which makes it hard > for people to try LAM. > > So we either need a plain PHP implementation of AES/Twofish... or stay > with MCrypt. An option might be an external perl script, we have to > discuss this. Perl is a problem for chrooted webservers... no I never think about reinvent the weel! > Always keep in mind that LAM manages user accounts which is a very > sensible thing where maximum security is required. what I assume about it: - lam is installed on a secure web server (https) - someone login with some username/password, ie. the browser send it to the server clear-text although through https, so it's still secure. - the client store the session (or may be a key for the session) in a cookie. - then use this cookie when has to identify the session... how others do it? eg. www.squirrelmail.org (written in php) store a session and a key in a cookie and it works (I hope it's secure) and meny people use it. just my 2c. yours. -- Levente "Si vis pacem para bellum!" |