PEPPLER.ORG
Michael Peppler
Sybase Consulting
Menu
Home
Sybase on Linux
Install Guide for Sybase on Linux
General Sybase Resources
General Perl Resources
Freeware
Sybperl
Sybase::Simple
DBD::Sybase
BCP Tool
Bug Tracker
Mailing List Archive
Downloads Directory
FAQs
Sybase on Linux FAQ
Sybperl FAQ
Personal
Michael Peppler's resume

sybperl-l Archive

Up    Prev    Next    

From: Michael Peppler <mpeppler at MBAY dot NET>
Subject: RE: I need a simple encryption subroutine, to encrypt/decrypt a string
Date: Feb 18 1999 5:47PM

>>>>> "Jason" == Jason Risley  writes:

Jason> Steve, For and app that I have where security is an issue, I do
Jason> the following:

Jason> 1. Gather initial password from Login Page, 2. Check to see if
Jason> password is valid.  3. If not valid revoke access.  4. If
Jason> valid, randomize a session key.  5. I associate and store the
Jason> randomized session key to the password.  6. Each time the
Jason> session key is used that record is timestamped.  7. I also have
Jason> a cron job setup for every fifteen minutes, that if a session
Jason> key's timestampe is greater than 16 minutes old, then the
Jason> session key record is deleted and the user is required to
Jason> relogin to continue (which generates a new session key).

Neat.

Another useful thing is to use an MD5 hash to validate the session
key. This makes it pretty much impossible to create a valid session
key by "chance"...

Michael


>> -----Original Message----- From: owner-SYBPERL-L@listproc.net
>> [mailto:owner-SYBPERL-L@listproc.net]On Behalf Of Steve Allen Sent:
>> Thursday, February 18, 1999 10:51 AM To: SybPerl Discussion List
>> Cc: 'Steve Allen'; SybPerl Discussion List Subject: Re: I need a
>> simple encryption subroutine, to encrypt/decrypt a string
>> 
>> 
>> Chris,
>> 
>> I have a form created in html which a password is input, this form
>> will be used by many people to access the application, I then need
>> to use the POST method in cgi which executes the main perl script
>> diary application.  the problem is the password is passed as a
>> variable in the query string and only this user would see the
>> password on how leaving his desk leaves his password is wide open
>> as it will show in the browser. this password is the main password
>> to access the SQLSERVER database. the simplest method is to encript
>> the password when passed to the second perl script using "POST"
>> method then when the diary is regularly refreshed the password
>> which will then be bookmarked will show the variable and the
>> encripted password, when the variable is checked it can then be
>> decrypted and used to access the database
>> 
>> so all I need is a bit of perl to read the string, and convert to
>> something, and then be able to unconvert when database connection
>> is required.
>> 
>> I am not to sure how to manipulate a string in perl like you would
>> do in C ie newstr[i] = oldstr[i] + 'A' for instance
>> 
>> 
>> 
>> Regards Steve.
>> 
>> Chris Jack wrote:
>> 
>> > I am not clear why you need encryption. Are you worried about
>> some security > problem - if so what? What operating system are you
>> using?  > > Is it the case that what you need is a mechanism
>> whereby you invoke an > application with a password. Furthermore
>> you do not want people to > eavesdrop upon that password. If so,
>> how do believe people would do this in > your environment? If your
>> problem is simply that you pass the password on > the command line
>> and people can then do process listings to view it, there > are
>> other mechanisms you could use to pass the password. For instance
>> you > could invoke the Perl script as a pipe and pass the password
>> on STDIN.  > > In a more general sense, it is easier to advise on a
>> solution to a problem > if you give complete details of the problem
>> rather than asking for advice > on implementing one possible
>> solution.  > > Chrisj > > -----Original Message----- > From: Steve
>> Allen [SMTP:sallen@sybase.com] > Sent: Thursday, February 18, 1999
>> 3:11 PM > To: jackc@rabo-bank.com > Cc: SybPerl Discussion List >
>> Subject: Re: I need a simple encryption subroutine, to
>> encrypt/decrypt a > string > > Chris Jack wrote: > > > Perl has a
>> function called crypt() that you could look at but that only > >
>> does encryption (why do you need to decrypt?). Alternatively you
>> could > get > > PGP off the net. You could also try looking at the
>> secure_rpc routines if > > they are available on your platform.  >
>> > > > It would be useful if you could give a little bit more
>> information about > > what you are trying to achieve. Do you want
>> to force users to access > Sybase > > only through applications
>> controlled by you or what?  > > I need to pass the information
>> between forms ie perl/sybperl script which > access a >
>> database. Based on selections made it reconnects to the db,
>> currently this > is passed > on the query string but I need to
>> encrypt/decrypt when I read the variable > I need to > decrypt it
>> so I can access the database as the user.  > A main entry form
>> takes the original password > > Kind Regards > Steve Allen.
>> 
>> -- Sybase (UK) LTD email: sallen@sybase.com Sybase Court direct:
>> 01628 597130 Crown Lane tel: 01628 597111 Maidenhead fax: 01628
>> 597112 Berkshire http: www.sybase.com SL6 8QZ
>> 



-- 
Michael Peppler         -||-  Data Migrations Inc.
mpeppler@mbay.net       -||-  http://www.mbay.net/~mpeppler
Int. Sybase User Group  -||-  http://www.isug.com
Sybase on Linux mailing list: ase-linux-list@isug.com