(S.O.S) Only 4 the best programmers. About Javascript & PHP

Amilcar wrote:

Hi:

I have a problem:
I've a page that sends an encrypted password, using MD5, to a PHP
file, which is able to compare such MD5 encrypted password with an
encryption stored on a data base. But the encryption way, on mD5, on
JavaScript and PHP doesn't return the same value.
My questions are:
1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.

2. I could fix this by calling my .js file on my .php file. How can I
do this?

3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?

Thank's a lot.

Alejo.

Mmmmm what a heavenly way to make a site totally inaccessable to users
without javascript, and I could respond to points in question but as I
wouldn't call myself one of the best "programmers" I wont, and this news
group is public, putting subject lines like that is only going to make
you look bad IMHO.

~Cameron

Amilcar wrote:

1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.
The algorithm is standard, RFC 1321, but the implementations may vary.
2. I could fix this by calling my .js file on my .php file. How can I
do this?
You can't.
3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?

MD5 should - but remember it's not "an encryption method", it's a
one-way hash. Minor technicality ;-)

First off, work out where the error lies. At the end of the RFC are
some test values. Run these values through both JS and PHP and see
which one doesn't give you the correct value. If they both give you the
correct value (just a simple print(md5($value))) then it's something
else in your code broken.

MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv wxyz0123456789") =
d174ab98d277d9f5a5611c2c9f419d9f
MD5 ("123456789012345678901234567890123456789012345678 901234567890123456
78901234567890") = 57edf4a22be3c955ac49da2e2107b67a

Cheers,
Andy

Cameron wrote:

Mmmmm what a heavenly way to make a site totally inaccessable to users
without javascript, and I could respond to points in question but as I
wouldn't call myself one of the best "programmers" I wont, and this news
group is public, putting subject lines like that is only going to make
you look bad IMHO.

Dammit - given that I've just responded, does that look egotistical. If
so, I take it back. AMILCAR DON'T USE THE INFORMATION I PROVIDED, I
HAVE WITHDRAWN IT.
;-)

Cheers,
Andy

Andy Jeffries wrote:

Cameron wrote:

Mmmmm what a heavenly way to make a site totally inaccessable to users
without javascript, and I could respond to points in question but as I
wouldn't call myself one of the best "programmers" I wont, and this
news group is public, putting subject lines like that is only going to
make you look bad IMHO.

Dammit - given that I've just responded, does that look egotistical. If
so, I take it back. AMILCAR DON'T USE THE INFORMATION I PROVIDED, I
HAVE WITHDRAWN IT.
;-)

Cheers,
Andy

lol, nah just stick to, I thought the subject line was insulting so I
replied anyway ;)

~Cameron

Amilcar wrote:

I've a page that sends an encrypted password, using MD5, to a PHP
file, which is able to compare such MD5 encrypted password with an
encryption stored on a data base. But the encryption way, on mD5, on
JavaScript and PHP doesn't return the same value.
My questions are:
1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.
I guess (at least) one of the implementations is not doing it according
to the specifications.
RFC1321 ( @ http://www.faqs.org/rfcs/rfc1321.html ) has a few test cases
along with an implementation in C.
2. I could fix this by calling my .js file on my .php file. How can I
do this?
hehe, in all the tests I did, the PHP implementation has never left me
down :)

Get a working JS implementation and let the browser use that one.
Have the server use PHP's implementation.
3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?

You might want to check this page for a JavaScript MD5 implementation:
http://pajhome.org.uk/crypt/md5/index.html
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

I see a problem with your security scheme that makes the md5 hash almost
irrelevant. However, I can think of 5 programmers off the top of my
head who are better than me, so I guess I can't help you.

Amilcar wrote:

I've a page that sends an encrypted password, using MD5, to a PHP
file, which is able to compare such MD5 encrypted password with an
encryption stored on a data base. But the encryption way, on mD5, on
JavaScript and PHP doesn't return the same value.
My questions are:
1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.

2. I could fix this by calling my .js file on my .php file. How can I
do this?

3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?

Yeah, ego thing aside, I just tested a Javascript (IE6/Win98) md5 hash and a PHP
one. They both came out the same (though it's quite possible different browsers
will implement it differently). Before you think too hard about solutions, I'd
make sure you're using the same text for both. Make sure something stupid is
not going on, like unintentional backslashes in the text or sending "Array()"
instead of an array element or any of the common errors that you might be
overlooking.

Once you figure out what's wrong and how to fix it, you might want to reconsider
using Javascript :o)

Shawn
--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com

Who knows? Perhaps he's using a random challenge value. Then again, if I can
see the plaintext traffic then I can just steal the cookie and hijack the
session. All in all it's pretty pointless.

Uzytkownik "Bruce Lewis" <br*****@yahoo.com> napisal w wiadomosci
news:nm*************@mass-toolpike.mit.edu...

I see a problem with your security scheme that makes the md5 hash almost
irrelevant. However, I can think of 5 programmers off the top of my
head who are better than me, so I guess I can't help you.

I've a page that sends an encrypted password, using MD5, to a PHP
file, which is able to compare such MD5 encrypted password with an
encryption stored on a data base.
So basically you have a db of hashed passwords, and not like most
password auth stuff that's used on most webpages, you want to hash
the password -before- it's sent to the server, right?
JavaScript and PHP doesn't return the same value.
This is due to how it's implemented. If you use the md5-function
of PHP, that will yield the correct result. So the problem surely
lies in the javascript. So check it for errors.
1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.
MD5 is an algorithm, a one-way hash function. It's standarized,
so what's wrong here is it's implementation, probably in the js.
2. I could fix this by calling my .js file on my .php file. How can I
do this?
I'm not sure I know what you are talking about, but if you mean using
the algorithm used in your js in the execution of your php-script, then
the answer is no. It's not possible. And it wouldn't be a fix. It would
most probably mean that you'd be using a broken algorithm, since I'm
pretty convinced that it's your js algo and not the php md5 fu that's
broke here. (You are using the php md5 fu, and not your own fu, right?!)
3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?
Yes. All of them, if they are implemented correctly. You problem is that
the client side (js) and the server side (php) algorithms aren't doing
the same, and as I've said a few times now, most probably the js.
But I'm not sure if you need to hash the password on the client side.
Or, actually, I know you don't, since it doesn't add security. See, I
bet you want to hash the password before you send it, to hide it from
being sniffed by someone, somewhere. But if you send the md5 hash of the
pwd, then the hash becomes the pwd as far as the server is conserned.
So if someone sniff the md5 hash of the pwd, they can use it at a later
time as the password.

The reason you want to hash the password in the first place, is to
protect it from being retrieved from the server by a hacker, and then
used by that hacker later. The security lies in that the user knows the
password, and the server knows it's md5 hash. So if anyone gets hold of
the md5 hash, it's totally useless, since you cant feed it to the server.
The server would hash it, and compare it, and the hash of the hash, would
not match the hash (of the password) of course.

So hasing the password -before- you send it to the server, would greatly
lower the security of your system.

I can only see one good reason to hash the password before you send it,
and that is to protect the password itself. What you'd need to do then,
is to hash it (with js) before you send it, and then hash it again at the
server. So what the server is having stored, and is doing it's compares
against, is a hash og the hash of the password. But as I said earlier,
this would not stop anyone from sniffing the (hash of the) password, and
using it later towards the server. It would only prohibit the sniffer of
knowing what your original pass phrase was. Which, of course, could have
some value of its own.

A better way of achieving what I suspect you want, is to use an encrypted
channel between the client and the host, using SSL (https://). This is
a whole other ballgame though...
Thank's a lot.

Your welcome :-)

--
Fred H

void FredH::Contact() {
TextToSpeach.say("frode at age dee dee dot en oh");
}

You could use SHA1 instead of MD5. SHA1 calculates a 160 bit hash
(40 hex chars), opposed to MD5's 128 bits hash (32 hex chars). The
security of SHA1 is considered better than that of MD5.

PHP has a SHA1 fu, called, yeah, sha1(). A sha1 js can be found here:
http://pajhome.org.uk/crypt/md5/sha1src.html

Good luck.

Amilcar wrote:

Hi:

I have a problem:
I've a page that sends an encrypted password, using MD5, to a PHP
file, which is able to compare such MD5 encrypted password with an
encryption stored on a data base. But the encryption way, on mD5, on
JavaScript and PHP doesn't return the same value.
My questions are:
1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.

2. I could fix this by calling my .js file on my .php file. How can I
do this?

3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?

Thank's a lot.

Alejo.

OK, and what about '4 the best programmers' part!