#463 (in 2.6.0) Encrypted password valid for limited time amount

fixed
1
2013-06-11
2004-02-22
Brendan
No
0 up votes | 0 down votes | 0%
12 comments

As it stands, a cookie hijacker can steal the encrypted
pass out of the cookie and log into PHPMyAdmin
whenever he/she wants. It is also easy for him to be re-
assured that the user/pass is the right one (by the
username.)

I would suggest encrypting the username to make every
user that is logged into the network look the same. This
would also make it imposable to see if root or some other
targeted user is logged in at the time.

I would also like to propose a method where a hijacker
could only hijack the user/pass for a specified period of
time. (Lets say three hours... or let the user decide in
the config file.)

This will be accomplished by:

Preparation:
1. Specify a time variance between clicks. (Log out time
delay)

Cookie Encoding:
1. Send a cookie with the Date/Time & Variance
encrypted with the blowfish pass (BlowPass) in the
config file. Overwrite the Date/Time but NOT the
variance.

2. Create another pass by combining the Date/Time,
Variance & BlowPass. (md5... maybe) The variance is
optional and may only slightly slow a hacker.

3. Encrypt the User and Pass with the new
DateTimeBlowPass.

4. Send the encrypted User and Pass in a cookie.

Authenticating:

1. Decrypt the Date/Time with BlowPass

2. If Date/Time out of variance, Log Out!

2. Use Date/Time and BlowPass to recreate
DateTimeBlowPass.

3. Unencrypt User/pass.

4. Check if authorized with MySQL.

5. Update Date/Time cookie with current Date/Time.

Wala. The encrypted pass sent to a users computer is
now time sensitive. If the time variance is out of range,
the encrypted pass cannot be used! This secures the
front-end (without sessions) as much as I can rap my
mind around today.

Sending the variance in the cookie is optional. It may
only add a small amount of security. The idea behind it is
that if the hacker has write permissions to the config
file, he could change the variance to be huge, allowing
him/her to use the time sensitive cookie for an extended
period of time. However if the user could write to the
config file, he could no doubt create a little program to
capture the user/pass when they were entered &
numerous other things.

I would be happy to make these modifications if you
would like.

Discussion

1 2 > >> (Page 1 of 2)
  • Michal Čihař
    Michal Čihař
    2004-02-24

    Logged In: YES
    user_id=192186

    Creating new encryption password from Date/Time, Variance &
    BlowPass doesn't add any security and just complicates
    things. I just filled simmilar request, but much simpler and
    I thing it is enough for imporoving security.

    Adding time information to encrypted password and after
    decrypting check whether it is recent enough (the time could
    be same as cookie
    validity) is IMHO enough.

    Encrypting username is probably also good idea.

     
  • Michal Čihař
    Michal Čihař
    2004-02-24

    • assigned_to: nobody --> nijel
     
  • Michal Čihař
    Michal Čihař
    2004-02-24

    • labels: 509126 --> Authentification issues
    • summary: cookie auth --> Make encrypted password valid for limited time amount
     
  • Brendan
    Brendan
    2004-02-25

    Logged In: YES
    user_id=722829

    I agree, as long as the time is encoded into the same cookie.
    You are right. The rest realy is just complcating things.

    Brendan

     
  • Brendan
    Brendan
    2004-02-25

    Logged In: YES
    user_id=722829

    Any chance using sessions to form a multifaceted
    authentication token? (To completely remove the password
    and username from the client computer and only allow access
    one click at a time?)

    Brendan

     
  • Brendan
    Brendan
    2004-02-25

    • summary: Make encrypted password valid for limited time amount --> session auth
     
  • Michal Čihař
    Michal Čihař
    2004-02-25

    • summary: session auth --> Make encrypted password valid for limited time amount
     
  • Michal Čihař
    Michal Čihař
    2004-02-25

    Logged In: YES
    user_id=192186

    Sessions are definitely planned (I thing there is separate
    RFE for it), but it requires much more work.

     
  • Michal Čihař
    Michal Čihař
    2004-02-27

    • summary: Make encrypted password valid for limited time amount --> (in 2.6.0) Encrypted password valid for limited time amount
    • status: open --> open-fixed
     
  • Michal Čihař
    Michal Čihař
    2004-02-27

    Logged In: YES
    user_id=192186

    Implemented in CVS.

     
1 2 > >> (Page 1 of 2)