|
|
Posted by Cord-Heinrich Pahlmann on 01/05/07 13:37
Hi Stefan, thx for the fast answer.
First of all I should define some constants to deconfuse (is that a
word?) some of the terms I use.
"A-Password" is the password the user uses to login to the webpage
"KEY" is a randomly generated 16char string which is the key to decrypt
the B-Passwords.
"B-Passwords" are the crypted passwords from the DB for the
third-party-logins.
"C-Passwords" are the decrypted B-Passwords
That should help
Stefan Rybacki schrieb:
> > Then the clear-text
> > login-password decrypts an unknown key which is stored in the
> > $_SESSION-Variable.
>
> Where does this key come from in the first place?
>
Ok, that was a little bit confusing. The key is blowfish decrypted in
the DB. It is stored right next to the username and A-password of each
user. And that key is newly generated each time the user logs in.
I use the clear-text A-password to encrypt the key, so that I as the
Administrator can't decrypt the B-passwords from my friends (other
users).
Since md5 is a one-way decryption I have no chance to gather the
C-Passwords of any user, right?
> > How secure is the Blowfish Algorithm?
>
> The blowfish algorithm is as far as remember known as secure (means no
> effective way of breaking it) as long as you use the full 16 rounds of
> encryption.
OK, I have to check into that. The source-code I use uses 128Bit key
which is ok I guess.
> > Each time I log in to my Site, the script generates a new key and
> > de/encrypts all the stored passwords again. So the stored
> > crypted-passwords look different everytime I login.
> >
>
> Where do all the passwords come from?
The user has to enter the C-Passwords and the other logindata. You can
fetch third-party formulars and the script automatically logs you into
the page.
How safe is it to send POST-Data to a third-party homepage. I wouldn't
really use this tool for my eMail or homebanking accounts but for forum
and blogpages it should be safe enough, right?
Navigation:
[Reply to this message]
|