Michael Peppler
Sybase Consulting
Sybase on Linux
Install Guide for Sybase on Linux
General Sybase Resources
General Perl Resources
BCP Tool
Bug Tracker
Mailing List Archive
Downloads Directory
Sybase on Linux FAQ
Sybperl FAQ
Michael Peppler's resume

sybperl-l Archive

Up    Prev    Next    

From: Michael Peppler <mpeppler at MBAY dot NET>
Subject: RE: I need a simple encryption subroutine, to encrypt/decrypt a string
Date: Feb 18 1999 5:47PM

>>>>> "Jason" == Jason Risley  writes:

Jason> Steve, For and app that I have where security is an issue, I do
Jason> the following:

Jason> 1. Gather initial password from Login Page, 2. Check to see if
Jason> password is valid.  3. If not valid revoke access.  4. If
Jason> valid, randomize a session key.  5. I associate and store the
Jason> randomized session key to the password.  6. Each time the
Jason> session key is used that record is timestamped.  7. I also have
Jason> a cron job setup for every fifteen minutes, that if a session
Jason> key's timestampe is greater than 16 minutes old, then the
Jason> session key record is deleted and the user is required to
Jason> relogin to continue (which generates a new session key).


Another useful thing is to use an MD5 hash to validate the session
key. This makes it pretty much impossible to create a valid session
key by "chance"...


>> -----Original Message----- From:
>> []On Behalf Of Steve Allen Sent:
>> Thursday, February 18, 1999 10:51 AM To: SybPerl Discussion List
>> Cc: 'Steve Allen'; SybPerl Discussion List Subject: Re: I need a
>> simple encryption subroutine, to encrypt/decrypt a string
>> Chris,
>> I have a form created in html which a password is input, this form
>> will be used by many people to access the application, I then need
>> to use the POST method in cgi which executes the main perl script
>> diary application.  the problem is the password is passed as a
>> variable in the query string and only this user would see the
>> password on how leaving his desk leaves his password is wide open
>> as it will show in the browser. this password is the main password
>> to access the SQLSERVER database. the simplest method is to encript
>> the password when passed to the second perl script using "POST"
>> method then when the diary is regularly refreshed the password
>> which will then be bookmarked will show the variable and the
>> encripted password, when the variable is checked it can then be
>> decrypted and used to access the database
>> so all I need is a bit of perl to read the string, and convert to
>> something, and then be able to unconvert when database connection
>> is required.
>> I am not to sure how to manipulate a string in perl like you would
>> do in C ie newstr[i] = oldstr[i] + 'A' for instance
>> Regards Steve.
>> Chris Jack wrote:
>> > I am not clear why you need encryption. Are you worried about
>> some security > problem - if so what? What operating system are you
>> using?  > > Is it the case that what you need is a mechanism
>> whereby you invoke an > application with a password. Furthermore
>> you do not want people to > eavesdrop upon that password. If so,
>> how do believe people would do this in > your environment? If your
>> problem is simply that you pass the password on > the command line
>> and people can then do process listings to view it, there > are
>> other mechanisms you could use to pass the password. For instance
>> you > could invoke the Perl script as a pipe and pass the password
>> on STDIN.  > > In a more general sense, it is easier to advise on a
>> solution to a problem > if you give complete details of the problem
>> rather than asking for advice > on implementing one possible
>> solution.  > > Chrisj > > -----Original Message----- > From: Steve
>> Allen [] > Sent: Thursday, February 18, 1999
>> 3:11 PM > To: > Cc: SybPerl Discussion List >
>> Subject: Re: I need a simple encryption subroutine, to
>> encrypt/decrypt a > string > > Chris Jack wrote: > > > Perl has a
>> function called crypt() that you could look at but that only > >
>> does encryption (why do you need to decrypt?). Alternatively you
>> could > get > > PGP off the net. You could also try looking at the
>> secure_rpc routines if > > they are available on your platform.  >
>> > > > It would be useful if you could give a little bit more
>> information about > > what you are trying to achieve. Do you want
>> to force users to access > Sybase > > only through applications
>> controlled by you or what?  > > I need to pass the information
>> between forms ie perl/sybperl script which > access a >
>> database. Based on selections made it reconnects to the db,
>> currently this > is passed > on the query string but I need to
>> encrypt/decrypt when I read the variable > I need to > decrypt it
>> so I can access the database as the user.  > A main entry form
>> takes the original password > > Kind Regards > Steve Allen.
>> -- Sybase (UK) LTD email: Sybase Court direct:
>> 01628 597130 Crown Lane tel: 01628 597111 Maidenhead fax: 01628
>> 597112 Berkshire http: SL6 8QZ

Michael Peppler         -||-  Data Migrations Inc.       -||-
Int. Sybase User Group  -||-
Sybase on Linux mailing list: