In codeigniter,
whenever a user is authenticated, I want to create a random session. This mechanism will be used to encrypt/decrypt the data between views-controllers. For example, I look to open a form as below:
<?php echo form_open('targetcontrollerfunction/'.encryptionfunction(data_to_be_secured)); ?>
Thus if anyone goes to inspect element, they is not able to understand the data that is being passed to the controller.
What I have tried:
I have gone through Codeigniter documentation and several articles on stackoverflow and google too. They suggest using encryption library to generate a random key and encrypt library to encode/decode the data using that key. But the challenge is that they want me to store the newly generated key in $config["encryption_key"]
Here the problem begins. In my Controller function I am validating the user account and setting some session variables. At the same time, I want random key to be generated so that the key is 100% unique for every user, but when I use the following code inside my controller function:
$randomkey=bin2hex($this->encryption->create_key(16));
$config["encryption_key"]=$randomkey;
$this->session->set_userdata('somekey', $this->encrypt->encode("somevalue"));
I also changed it to :
$randomkey=bin2hex($this->encryption->create_key(16));
$config=array(
'encryption_key'=>$randomkey
);
$this->encryption->initialize($config);
$this->session->set_userdata('somekey', $this->encrypt->encode("somevalue"));
I get an error:
In order to use the encryption class requires that you set an
encryption key in your config file.
libraries cannot be loaded into config.php file, encryption_key cannot be set inside the controller, I am totally confused. What else is the way to generate a random key and use the same for every logged in session?
If you are using CI 3, go to folder /application/config, edit config.php, then enter the encryption key (32 characters)
Search the below line:
$config[‘encryption_key’] = ‘yourkeyhere’;
Related
I'm running into trouble with authentication handling in my Laravel 5.5. I have installed an Encryptable trait according to this post here. I then used the authentication generator to establish the base routes, views and handler.
I can successfully register new accounts and visually see that all of the data is encrypted, but I cannot successfully authenticate through the login screen.
This seems to be failing during the Auth::attempt($credentials) call. My troubleshooting is pointing to the encryptable trait because when I comment that section out, the authentication works fine.
Can someone offer insight as to how to handle authentication using this method of model encryption?
I have attempted disabling encryption for the username field, but this didn't seem to help. The password field was never being encrypted, becasue it is being hashed by bcrypt.
1st Edit:
So, with an understanding of how traits work... The Encryptable trait seems to be overloading the getAttribute/setAttribute functions. This would mean that Eloquent's querying functions like where, find, etc. will just be "looking at" encrypted values.
2nd Edit:
The source code provided for the Encryptable trait was not returning proper values for unencrypted values. This was changed and authentication was restored. To those using the same code snippet, in the get_attribute() function, change the else block so that it return $value;.
I appreciate all insights,
Dan
This form of encryption will void your ability to search the table for the encrypted fields. You won't be able to reproduce the same string because Laravel uses a random iv when producing encrypted data. An IV, or initialization vector, serves a similar purpose as a salt in hashing, to randomize the stored data.
Due to this randomization of data, you wouldn't even be able to search your table by re-encrypting the search data:
User::where('email', Crypt::encrypt('email#email.com'));
// won't find anything even if an encrypted value of email#email.com exists
Running in an interactive shell allows you to see encrypt returns a completely different value on subsequent runs:
>>> json_decode(base64_decode(Crypt::encrypt('email#email.com')))->value
=> "zpA0LBsbkGCAagxLYB6kiqwJZmm7HSCVm4QrUw6W8SE="
>>> json_decode(base64_decode(Crypt::encrypt('email#email.com')))->value
=> "VKz8CWVzR66cv/J7J09K+TIVwQPxcIg+SDqQ32Sr7rU="
Therefore, you may want to be selective about what you actually encrypt. Encrypt things that are sensitive and you wouldn't use to lookup an entity. This could be something like social security numbers, government IDs, credit card numbers, and bank account numbers.
How do I validate password using function module which is stored in Z*** table against the sy-uname in ABAP?
I am using function module to create OData service for Fiori app where in the moment user hits on enter button it should display successful else unsuccessful based on sy-uname?
First,
you never ever shouldn't store passwords for your application in plain text.
It is so obvious that never should be mentioned, but nevertheless. Only hash functions from your passwords should be stored.
Second, following function module should be used for generating hash and validation against it:
CALL FUNCTION 'MD5_CALCULATE_HASH_FOR_CHAR'
EXPORTING
DATA = LV_PASSWORD
IMPORTING
HASH = STRU-PASSHS.
Also, you can check SECH function group and modules contained there, but consider that some of them are deprecated.
I'm using codeigniter2.1.4.my problem is when i use
$this->encrypt->encode($row['service_id'])
in my view page ,it generates such a key that is not permitted url and i also want short encrypt key bcoz current encrypt key too big.Any solution?Thanks
A simple solution would be to send the encrypted key as a POST parameter instead of GET parameter. In case you do not want to do that, look into
$config['permitted_uri_chars']
in application/config/config.php. Add the characters that you want to send in URL. Remember. THIS IS A SECURITY COMPROMISE.
You can always change to another cipher algorithm using
$this->encrypt->set_cipher();
This is known to mess up your sessions as sessions are encrypted using the default algorithm. So if you set session, change cipher and again try modify or set session, it wont work. You need to make sure you set back the cipher to default after your encryption is done.
Check and try to understand system/libraries/Session.php, especially around the line
$cookie_data = $this->CI->encrypt->encode($cookie_data);
If you are interested in finding answer to "WHY"
Let's say an application has really specific data which belongs to a user, and nobody is supposed to see it except the owner. I use MySQL database with DataMapper ORM mapper. The application is written in Ruby on Sinatra.
Application behavior:
User signs up for an account. Creates username and password.
Logs into his dashboard.
Some fields in specific tables must be protected.
Basically, I'm looking for auto-encryption for a model properties. Something like this:
class Transaction
include DataMapper::Resource
property :id, Serial
property :value, String, :length => 1024, :encrypted => true
... etc ...
belongs_to :user
end
I assume that encryption/decryption on the fly will cause performance problems, but that's ok. At least if that works - I'm fine.
Any ideas how to do this?
I wouldn't store any data that relies on the user remembering their password and then using that password to decrypt the data. What are you going to do when the user changes their password? Decrypt/Encrypt everything? I doubt it. What if the admin reset the password? All data lost? Again, I doubt it.
See the other links about storing secrets but please don't use any value from the user as part of your encryption.
So you want to store the data encrypted in the database? Firstly, I would ask you to consider why you need to do this? You should be able to write your application such that only the authenticated user can get to their own data.
If you do genuninely need to store encrypted data, that you also need to be able to decrypt (as opposed to a one-way hash) then there is lots about encryption in ruby here: http://www.example-code.com/ruby/encryption.asp
You certainly should encrypt/decrypt data on user side - otherwise there is no point in encrypted storage, as tracks of private data still there somewhere - in network cache, in swapfiles of different kind etc. Moreover, data can be sniffed with Man-In-The-Middle attack.
So what you probably want is javascript-based client-side encryption. Topic is greatly covered in http://javascript.about.com/library/blencrypt.htm (Rijndael encryption algorithm), and there is great AES implementation library on http://www.movable-type.co.uk/scripts/aes.html
You should encrypt data before submission of form (with onClick callback of "Submit" button f. e.), and then pass to server and process as usual.
Drawback is that you can't use any Rails with such data - only client-side javascript.
I had to do this for encrypting sensitive data. I wrapped the strongbox gem and it's on github: http://github.com/bitzesty/safe
The safe gem provides Public Key Encryption of AR attributes.
You use a one-way hashing algorithm. Hash the password and store the hash. Then whenever the user enters his password, you hash the password entered and compare it to the stored hashed password. If they're the same, you let them through. If not, they're denied.
It's generally not a good idea to ever store a user's password that can be taken to plaintext.
Typically it is stored as a salted hash of either MD5 or SHA1.
So, you have a random salt, store it in the user's table, and then you hash their pass and the salt, like this:
$hash = md5(md5(salt) + pass)
I would recommend against storing a pass that can be returned, the only way I'd recommend you store it is in a one way hash.
That said, there are some encryption schemes that you can use, such as RSA encrytion. This way, your application will encrypt the user's password that it receives from the end user using your public key, and when you need to decrypt it, do so using your private key. There's really very limited application for storing a key this way (such as providing a log in to another site automatically) and is typically frowned upon.
attr_encrypted may be also solution for encryption sensitive data, works with ruby class or ActiveRecord, DataMapper, or Sequel in Rails.
https://github.com/attr-encrypted/attr_encrypted
I am working on a guess-a-number game with Ruby that will be online. I know I need to pass the SESSION somehow to keep the number that they are guessing, but I have tried a ton of methods with no luck. My code is here.
Any thoughts on what I can do get this code working? I have declared each of my sections.
A session is, usually, a combination of a cookie (session cookie), or some session id tacked onto the url, which has some unique identification of the current "session" and a way to save the data on the server and retrieve it when given the id from the cookie.
So I would set a cookie based on for example ip + Time.now.to_i and then save that ID and the values I want set into a database or a text file on the hard drive. Note that there is probably a lot better ways to create a unique ID but aim for the simple stuff first. :)
I also recommend that you look into CGI::Session which you require with require 'cgi/session'.