PEPPLER.ORG
Michael Peppler
Sybase Consulting
Menu
Home
Sybase on Linux
Install Guide for Sybase on Linux
General Sybase Resources
General Perl Resources
Freeware
Sybperl
Sybase::Simple
DBD::Sybase
BCP Tool
Bug Tracker
Mailing List Archive
Downloads Directory
FAQs
Sybase on Linux FAQ
Sybperl FAQ
Personal
Michael Peppler's resume

sybperl-l Archive

Up    Prev    Next    

From: "Ryan Russell" <Ryan dot Russell at sybase dot com>
Subject: Re: I need a simple encryption subroutine, to encrypt/decrypt a string
Date: Feb 18 1999 6:21PM

If I'm following you correctly...

First off.. if you're using the POST method, the variables
don't show up in the URL, that's the GET method.

Second, if you're proposing to send an encrypted (actually,
looks more like a hash for what you're talking about) that
will allow the function to happen, then stealing the crypted
string is as good as having the cleartext password.

You're also passing passwords (or hashes which are just as good)
in an unencrypted HTTP session, which is subject to monitoring.

My suggestion(s):

Use an SSL web server, use the POST method, and don't worry
about the fact that the password is in the form.  I believe that most
web browsers (when working correctly) will not cache SSL posted
forms.

-or-

Where do the passwords come from to begin with?  Are they unix
password from an NIS map, or DB passwords in a table?  One thing
you can do is hash them on the client via some Java thing and send a hash.
If it's matched against a unix passwd file, you can replicate the crypt(3)
function.  If it's DB passwords, you just have to have the same hash
function on
both the client and server.

-or-

Pass the password in the clear the first time, and use a cookie (a
well designed cookie... a whole other discussion) to allow access
later.  This does nothing to help sniffing, if you're
concered about that (you should be.)


If this is for an internal application rather than for a client, you
always have the option of consulting with one of your
internal security people, I'm sure they'd appreciate
you checking with them.  (I'm your internal security
person, Steven.)

                         Ryan







Chris,

I have a form created in html which a password is input, this form will be
used by
many people to access the application, I then need to use the POST method
in cgi
which executes the main perl script diary application.
the problem is the password is passed as a variable in the query string and
only
this user would see the password on how leaving his desk leaves his
password is
wide open as it will show in the browser. this password is the main
password to
access the SQLSERVER database. the simplest method is to encript the
password when
passed to the second perl script using "POST" method then when the diary is
regularly refreshed the password which will then be bookmarked will show
the
variable and the encripted password, when the variable is checked it can
then be
decrypted and used to access the database

so all I need is a bit of perl to read the string, and convert to
something, and
then be able to unconvert when database connection is required.

I am not to sure how to manipulate a string in perl like you would do in C
ie newstr[i] = oldstr[i] + 'A' for instance



Regards
Steve.