secure login

ICT@PSU 308-364 Advanced Web Programming 1 of 15

Securely Login with Salted Password308-364 Advanced Web Programming

1/2558

Simplicity is the ultimate sophistication

Leonardo da Vinci


Objectives

• Setup HTTPS server in XAMPP• https://jaswanttak.wordpress.com/2010/04/15/configure-

ssl-on-xampp-and-windows/

• Implement a secure login using Hash passwords• http://webexplorar.com/php-best-secure-user-

registration-with-login-example/

https://jaswanttak.wordpress.com/2010/04/15/configure-ssl-on-xampp-and-windows/

http://webexplorar.com/php-best-secure-user-registration-with-login-example/


Secure communication using HTTPS• In order to enable the encryption of your password, you must create an

SSL certificiate (containing your public key) and a server private key.

• XAMPP provides a batch file for creating a new certificate/key with random encryption keys.• Open a command window (Start->Run, type “cmd” and press “OK)

• cd c:\xampp\apache

• makecert

• Import the certificate into the browser

• Edit Apache config for encryption only access to password protected folders.• Make folders accessible with SSL encryption only

• Redirect “http” to “https” for certain folders


Setup HTTPS in XAMPP


Steps to setup server.srt• Provide a new pass phrase for your key. You will need to remember this if anything goes wrong

with your certificate or you need to reinstall. Put it somewhere safe

• Verify the pass phrase by retyping it

• Enter a country code. This will typically be ZA

• Enter a province name. This will typically be something like Gauteng or KwaZulu-Natal

• Enter your city name. This can be anything, such as Midrand or Franschhoek

• Enter your full school name. This might be something like Midvale School

• You can leave the Organizational unit blank if you like. However, if you have multiple schools (and hence installtions of ADAM) within a single school entity, you might want to put something like Girls College or Preparatory School here

• The common name is not, your name as suggested, but rather the common name of the website you are securing (the utility that is generating the certificate can also generate personal certificates, hence this prompt). This is likely to be something like adam.midvale.co.za

• Enter in a general contact e-mail address here, typically something like [email protected]

• You can leave the challenge password blank

• You can leave the optional company name blank• Enter the pass phrase that you entered at the start of the process.


Modify httpd.conf and httpd-ssl.conf• First, we need to inform Apache that the folders you want to

encrypt should use always use encryption• #LoadModule ssl_module modules/mod_ssl.so

• Open http.conf

• Open httpd-ssl.conf

DocumentRoot "C:/xampp/htdocs/secure"

<Directory "C:/xampp/htdocs/secure">

…

SSLRequireSSL</Directory>

DocumentRoot "C:/xampp/htdocs/secure"


Results


Redirect “http” to “https” for certain folders

• To accomplish the redirection, we will use mod_rewrite• Open httpd.conf

• #LoadModule rewrite_module modules/mod_rewrite.so

• Now, paste the following text into the bottom of c:\xampp\apache\conf\extra\httpd-xampp.conf

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]</IfModule>


Secure Password• If you're a web developer, you've probably had to make a user account

system. • The most important aspect of a user account system is how user

passwords are protected.• In traditional secure login• The user creates an account.• Their password is hashed (MD5, SHA1, SHA256) and stored in the database. • When the user attempts to login, the hash of the password they entered is

checked against the hash of their real password retrieved from the database.• If the hashes match, the user is granted access. • Steps 3 and 4 repeat every time someone tries to login to their account.

• The only hashed password is not secure anymore.• The two most common ways of guessing passwords are dictionary

attacks and brute-force attacks.

https://crackstation.net/hashing-security.htm


Salted Hashing• The best way to protect passwords is to

employ salted password hashing.

• A new salt is randomly generated for each password.

• To Store a Password• Generate a long random salt using a

CSPRNG.• Prepend the salt to the password and hash

it with a standard cryptographic hash function such as SHA256.

• Save both the salt and the hash in the user's database record.

• To Validate a Password• Retrieve the user's salt and hash from the

database.• Prepend the salt to the given password and

hash it using the same hash function.• Compare the hash of the given password

with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.

http://www.codeotaku.com/journal/2009-10/secure-login-using-ajax/index

http://www.codeotaku.com/journal/2009-10/secure-login-using-ajax/index


1. Generate Database

CREATE TABLE ùsers` (

ìd` int(11) NOT NULL AUTO_INCREMENT,

ùserEmail` varchar(255) NOT NULL,

ùserName` varchar(255) NOT NULL,

ùserPassword` varchar(255) NOT NULL,

ènable` int(11) NOT NULL DEFAULT '1',

`regDateTime` datetime NOT NULL,

`salt` varchar(255) NOT NULL,

PRIMARY KEY (ìd`,ùserEmail`)

) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;




2. Create forms

<form method="post" action="registration.php">

User Name: <input type="text" name="userName" id="userName"/> <br/>

Password: <input type="password" name="userPassword" id="userPassword"/> <br/>

Email Address: <input type="text" name="userEmail" id="userEmail"/> <br/>

<input type="buttonsubmit" id="user-btn-signup" value="Registration" name="userSubmit"/>

</form>

<form method="post" action="login.php">

User Name: <input type="text" name="userName" id="userName"/> <br/>

Password: <input type="password" name="userPassword" id="userPassword"/> <br/>

<input type="buttonsubmit" id="user-btn-signup" value="Login" name="userSubmit"/>

</form>




registration.php

function createSalt() {

$string = md5(uniqid(rand(), true));

return substr($string, 0, 5);

}

$salt_reg = createSalt();

$userpasswdHash = hash('sha256', $salt_reg . $userpassword);

Connect to the database




login.php

$username = mysql_real_escape_string(trim($_POST['userName']));

$userpassword = mysql_real_escape_string(trim($_POST['userPassword']));

$userData = mysql_fetch_array($result$result_check, MYSQL_ASSOC);

$db_salt = trim($userData['salt']);

$hash_entered = hash('sha256', $db_salt . $userpassword);




Assignment (8%)

• Create HTTPS server in XAMPP and force the website to operate only under HTTPS protocol (4%)

• Create secure registration and login using hash and salt (4%)• You may use Bootstrap to decorate your website

• Don’t forget to note the lesson learned!

secure login

Technology