#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2014
    Posts
    3
    Rep Power
    0

    login / password protection


    I have a Flash app that sends login / password to a server side PHP script via http POST.

    I want to add some protection to it. The server doesn't have https, so I was thinking about the script first sending some random token and Flash sending login / password encrypted with that token back.

    I don't know much about encryption, so can anyone please point me to a relatively simple way to do this kind of encryption that doesn't require much computing power?

    Thank you!
  2. #2
  3. Anemic Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,807
    Rep Power
    9432
    Check out public-key cryptography. Basically, your Flash app contains a public key and uses it to encrypt the data, then your server with the private key decrypts the received data.

    [edit] If the server needs to send sensitive data back then you'll need another key pair. I won't tell you the protocol because I don't remember it 100% and if I tell you the wrong thing then it will be insecure. But regardless, two key pairs.
    Last edited by requinix; September 8th, 2014 at 01:29 AM.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2014
    Posts
    3
    Rep Power
    0
    So if I get it right, first I need to call a PHP script that will generate private / public keys and return public key to Flash, and then Flash will encrypt the message with the public key and send it to another PHP script to decipher the message?

    What bothers me is that I need to somehow store the private key on the server between the two script calls.

    Also, if more that one person will use the Flash app at the same time, how do I tell between their keys? And I need to generate a new pair for every request.
  6. #4
  7. Anemic Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,807
    Rep Power
    9432
    Originally Posted by toffler
    So if I get it right, first I need to call a PHP script that will generate private / public keys and return public key to Flash, and then Flash will encrypt the message with the public key and send it to another PHP script to decipher the message?
    No: a MITM could intercept that request, record the public key, generate its own key pair, and send the public key to your app.

    It is the general idea but the scheme is more complicated than that. Remember, what you have to set up is basically on par with SSL, and that is not something you just figure out in a few minutes. Read up on public-key cryptography and key exchange protocols.

    Originally Posted by toffler
    What bothers me is that I need to somehow store the private key on the server between the two script calls.
    Sessions. You store the private key in the session.

    Originally Posted by toffler
    Also, if more that one person will use the Flash app at the same time, how do I tell between their keys? And I need to generate a new pair for every request.
    Again, sessions. Which is also how you differentiate between users, allowing you to use a single value (session ID) to represent state (the session data). I figured you were already doing that.

IMN logo majestic logo threadwatch logo seochat tools logo