Topic: Diffie-Hellman Login Code

Hello and good day,

I was wondering if the code that handles the Diffie-Hellman key exchange - mainly the backend that does the heavy-lifting - is available as an independent package anywhere? I'm developing various management suites (for things like camper registrations for a summer youth camp, scrap tracking for a manufacturer and a job tracker for a local PC tech) and was hoping that I could implement the DH key exchange into the system as an alternate to SSL when SSL is unavailable.

Currently the user gets a one-time-use login key when they request a login, and their password gets hashed along with that login key and then is transmitted to the server for verification. (Their passwords are stored as both SH1 and MD5 hashes (To avoid birthday attacks) and that hash is hashed with the login key concated.) I was looking at writing my own version of Diffie-Hellman but, as you probably experienced when implementing it into Enano, it's quite a big bear to tackle.

If you could point me in the right direction that'd be great. Otherwise I'll resort to downloading and installing Enano and then pulling the code out of it the "fun" way. :-)

Thanks for your time,
-- John

Re: Diffie-Hellman Login Code

Hi John!

The DiffieHellman code is pretty nicely segregated into its own files. You'll want to look in the following:

  • includes/math.php: Abstraction layer that picks out which backend (GMP, big_int or BCMath) to use. I recommend GMP!

  • includes/diffiehellman.php: The actual Diffie-Hellman algorithm, server side

  • includes/rijndael.php: Native PHP implementation of AES

  • includes/clientside/static/crypto.js: Big-ass Javascript blob with arbitrary precision math, DiffieHellman and AES all rolled into one file

  • includes/clientside/static/login.js: Good place to look for an example on how to use DH client-side

  • plugins/SpecialUserFuncs.php: Good place to look for an example on how to use DH server-side

  • includes/functions.php: If you get calls to undefined functions, this is a good place to look for them.

  • includes/sessions.php: The generate_aes_form() and aes_javascript() methods will help you get working forms together.

  • includes/hmac.php: Store your passwords using HMAC - it's MUCH more secure if your database ever gets hacked.

That should cover just about everything. Crypto login is a HUGE thing to implement, because the capability has to be sprinkled everywhere, from registration to login to re-auth to the password change form to the "forgot password" feature. Even the installer just recently added support for it. It's mostly all based on the same code now, but for a while maintaining all those different locations became a huge mess. I'd recommend writing functions that take care of generating keys and echo out hidden form fields containing the public key and similar information.

Finally I think it would be responsible of me to reiterate the warning from the Features page:

Remember: true security is only possible with SSL. The encrypted logon feature is designed only to protect your information when it is infeasible for a man-in-the-middle to modify Diffie-Hellman parameters, for example at a WiFi hotspot where ARP spoofing is difficult or impossible because of wireless latency. A determined and skilled attacker with control over an intermediate router between you and your Enano website can still obtain your password by modifying the Diffie-Hellman parameters. If you need strong security, use SSL.

Good luck, and let me know if you need any more advice on working with the code. Keep me posted, I'd be interested in seeing the results!

Dan