http basic auth

General PHP Help
#1

. You should identify which entities/methods require the user to be authentication and ensure you return the correct response code. You need to implement this in a robust manner. Finally you should thoroughly test your web service.

Hi guyss im having trouble undertanding what to do for this excersise that i have been set. We have been taught to use md5 and base 64 to encrypt passwords WHICH everyone has told me basically sucks. But this is what i have to use.

I have a users table and many PUT AND GET METHODS.

I have saved the user passwords using md5.

What i am trying to do is to check whether or not the user has the sufficient privelege to delete an article on my web service but have no clew on how to go about doing this?

Can someone point me in the right direction please :-X :-X

#2

MD5 is a hashing routine and is not encryption, base64 however is. This means that an attacker can extremely easily decrypt the base64 string, he can not decrypt the MD5 string. What’s usually done with MD5 is either rainbow table lookup, or brute force.

Rainbow tables
Your code is atm vulnerable to this. Online you can find huge rainbow tables (terrabytes of data) with hash:plaintext combinations. An attacker could search these for your MD5 hash and potentially get a match

Brute force
An attacker could calculate MD5 hashes and look for a match. For comparison: a correctly set up Bcrypt hash would let the attacker calculate 1-4 hashes/s. With MD5 this number is more like 900.000.000 hashes/s

Just thought it would be good to know the reasoning behind it :slight_smile:

[hr]

If you want to get more secure with MD5 then change it to be like this:

add to config:
[php]$pepper = ‘321809Q853P6281435O74C082QjbQ59g77ECNi1i06D3Y689b36N4e32OtO82H87WEy3h3k4335G1PbXl1HY15TM25V0aPYh2Hde’;[/php]

user table, add salt column
[php]id | username | email | salt | password[/php]

when inserting users, create a random salt, ie: L6Q2n0d7OA5YZeTkXvvd

logging in:
[php]$user = db-query(‘SELECT * FROM user WHERE email = ?’);

if (!$user) {
throw new Exception(‘Invalid user’);
}

if (MD5($pepper, $user->salt, $_POST[‘submittedPassword’]) == $user->password) {
// logged in
} else {
// wrong password
}[/php]

Of course you need to save the hash using the same data, so on registration you do

[php]$password = MD5($pepper, $salt, $_POST[‘submittedPassword’]);
// save $password to db when saving user[/php]

password abc123 might be saved as

MD5(321809Q853P6281435O74C082QjbQ59g77ECNi1i06D3Y689b36N4e32OtO82H87WEy3h3k4335G1PbXl1HY15TM25V0aPYh2HdeL6Q2n0d7OA5YZeTkXvvdabc123)[/code]=[code]9c1770bdca6e1038646df278afcb71f0

[hr]

Since you’re doing a web service which requires authentication (at least for parts) we can assume the user will submit his/her username/password with the requests. Just check if the username/password is valid before running the protected functions/methods.

Sponsor our Newsletter | Privacy Policy | Terms of Service