I am using a form with user and password fields in that I need to encrypt the password before sending the form to the server for validation. For that I am using md5.js for encryption on client side using the salt information.
test.php
<script LANGUAGE="Javascript" SRC="js/md5.js"></script>
<script>
function encryptPwd1(strPwd, strSalt, strit) {
var strNewSalt = new String(strSalt);
if (strPwd == "" || strSalt == "")
{
return null;
}
var strEncPwd;
var strPwdHash = MD5(strPwd);
var strMerged = strNewSalt + strPwdHash;
var strMerged1 = MD5(strMerged);
return strMerged1;
}
function validateForm(strSalt, strit) {
var strEncPwd = new String(encryptPwd1(document.getElementById("password").value, strSalt, strit));
document.getElementById("password").value = strEncPwd;
document.login.submit();
return true;
}
</script>
<form method="post" action="test1.php">
<input type="hidden"
name="salt"
id="salt"
value="8qadr4xnCPW275BaNpYX">
<label class="login">Password:</label>
<input
name="password"
id="password"
type="password" />
<input type="submit"
name="gos"
id="gos"
value="Login"
onClick="return validateForm('8qadr4xnCPW275BaNpYX','38');">
</form>
This is the form which contains the client encryption using JavaScript and md5.js. I can successfully encrypt the message and send it to test1.php in that test1.php. I don't know how to decrypt the text please help me.
I am using a form with user and password fields in that I need to encrypt the password before sending the form to the server for validation. For that I am using md5.js for encryption on client side using the salt information.
test.php
<script LANGUAGE="Javascript" SRC="js/md5.js"></script>
<script>
function encryptPwd1(strPwd, strSalt, strit) {
var strNewSalt = new String(strSalt);
if (strPwd == "" || strSalt == "")
{
return null;
}
var strEncPwd;
var strPwdHash = MD5(strPwd);
var strMerged = strNewSalt + strPwdHash;
var strMerged1 = MD5(strMerged);
return strMerged1;
}
function validateForm(strSalt, strit) {
var strEncPwd = new String(encryptPwd1(document.getElementById("password").value, strSalt, strit));
document.getElementById("password").value = strEncPwd;
document.login.submit();
return true;
}
</script>
<form method="post" action="test1.php">
<input type="hidden"
name="salt"
id="salt"
value="8qadr4xnCPW275BaNpYX">
<label class="login">Password:</label>
<input
name="password"
id="password"
type="password" />
<input type="submit"
name="gos"
id="gos"
value="Login"
onClick="return validateForm('8qadr4xnCPW275BaNpYX','38');">
</form>
This is the form which contains the client encryption using JavaScript and md5.js. I can successfully encrypt the message and send it to test1.php in that test1.php. I don't know how to decrypt the text please help me.
- 1 What you are talking about here is hashing, not encryption. Hashing is not meant to be reversible (even though MD5 is very insecure and it's possible to reverse it). You should be rehashing on the server side and paring with the JS hash rather than trying to reverse it. – t j Commented Jul 11, 2014 at 0:53
- Why don't you simply use md5 to decrypt it instead trying to reverse it or created md5 decryption – user2530266 Commented Jul 11, 2014 at 0:58
- @orciny can any one guide me how to do that please. or any examples – VPR Commented Jul 11, 2014 at 1:01
- Take a look at the PHP MD5 functions. php/manual/en/function.md5.php Although these days, they're not considered strong enough to hash passwords with. You should maybe look into a stronger algorithm using password_hash: au2.php/manual/en/function.password-hash.php – t j Commented Jul 11, 2014 at 1:07
- @orciny this never shows how to do with client side give me an example so that i cant study well or tell how to decrypt the in test1.php – VPR Commented Jul 11, 2014 at 1:11
3 Answers
Reset to default 3Hang on a minute here.
This is just a bad idea (I can think of other adjectives here but will limit myself to BAD).
Anybody can read your page source with any browser, so what do I see if I do that....
- I now know that you are using MD5 to hash your passwords on your database (let's ignore how bad MD5 is for now)
- And lo and behold I also know the SALT that you are using!
Why not just give me your bank account number and PIN code, and for good measure the keys to your house and car!
I assume you don't have a boat or you would have drowned by now!
Don't try and do this in the browser, the only secure way is to use SSL.
You want to protect the plain text password from a "man in the middle", which is listening the network traffic. Unfortunately it is not possible to prevent this with client-side java-script, because the attacker can see the sent java-script as well and would also be able to simply remove this script from the request.
The only reliable way to protect the transfer of the password is using HTTPS with SSL encryption. This also only works because a secret is already shared (the certificates installed within your browser).
Client-side hashing can have it's purpose as well, but never replaces server-side hashing. You can transfer CPU power used for hashing to the client. On the server side you would have to hash again, but with fewer rounds.
Password encryption is needed because of password trace will be stored in browser memory on your puter when you make submission. If a hacker get access to your puter, with a widely available tool, your stored data will be exposed.
The remedy for that is to make it harder for the hacker to get hold of your password...
There are two things to remember: 1) submit via form 2) submit via ajax
In both cased it is important that you control the character encoding of your submission and make sure your server character encoding is in synch with your application web page.
If you do not control the encoding, then your ajax call may end up with different set of encoding than your submission via form and hence your decoding will not be easy.
Once you have them under control then use code in what ever language you want to decode... however, you need to keep a reference of salt and stringit on server side.. and you need to randomly generate different set of strings on each page you provide for users.
one way to do it is by including them in form as hidden inputs.. but you need to remove the inputs on the fly from the form right before you allow the form to proceed with submission.