rejetto forum

Software => HFS ~ HTTP File Server => Programmers corner => Topic started by: NaitLee on June 14, 2020, 07:35:55 AM

Title: Encrypt password between client and server
Post by: NaitLee on June 14, 2020, 07:35:55 AM
Currently when we change our password, the password sent to client is not encrypted.
When we login, the password is dealt with sha256. But if hacker hijacked the result, he can still do things with correct ajax method.

So beside https, how to get the best effect of encryption between client and server?
I think, The message sent between client and server should be hard to deal.
And we should find a way, to send password/encryption-related message without/cannot fully seen by hacker.

Scripting command: Data manipulation (https://rejetto.com/wiki/index.php?title=HFS:_scripting_commands#Data_manipulation) maybe useful as there are some mathematical things.
Additionally, {.get account||password.} can get original password, {.sha256|A.} can make it undiscoverable, {.time|yyyymmddhhMMss.} can get a timestamp...

Anyone can share a bit suggestions? :)
Title: Re: Encrypt password between client and server
Post by: Mars on June 18, 2020, 01:19:22 AM
Currently when we change our password, the password sent to client is not encrypted.
When we login, the password is dealt with sha256. But if hacker hijacked the result, he can still do things with correct ajax method.

So beside https, how to get the best effect of encryption between client and server?
I think, The message sent between client and server should be hard to deal.
And we should find a way, to send password/encryption-related message without/cannot fully seen by hacker.

Scripting command: Data manipulation (https://rejetto.com/wiki/index.php?title=HFS:_scripting_commands#Data_manipulation) maybe useful as there are some mathematical things.
Additionally, {.get account||password.} can get original password, {.sha256|A.} can make it undiscoverable, {.time|yyyymmddhhMMss.} can get a timestamp...

Anyone can share a bit suggestions? :)

look at this post
http://rejetto.com/forum/index.php?topic=13326.msg1066139#msg1066139
Title: Re: Encrypt password between client and server
Post by: Richard_F on September 15, 2020, 06:06:16 PM
Hello, NaitLee!

yeah, i had this problem for some time too. Unfortunatly i am not sure how fix it. (last time i got help ;D) But maybe this post https://www.technikhiwi.de/wordpress-hosting-test/#Sicherheit (https://www.technikhiwi.de/wordpress-hosting-test/#Sicherheit) can help you. It is in german, so use a site-translation. There is some information about encrypt hosting and SSL-certification.
Title: Re: Encrypt password between client and server
Post by: LeoNeeson on September 30, 2020, 03:16:45 PM
Good idea. :) Some time ago, I've proposed something different: adding Two-Factor Authentication (2FA) to HFS (https://rejetto.com/forum/index.php?topic=13062.0). Although it's not 100% bullet-proof secure, 2FA could add another layer of security to HFS (for extra peace of mind, since in case a password is stolen, you would still need a correct 2FA code).
Title: Re: Encrypt password between client and server
Post by: NaitLee on September 30, 2020, 04:24:27 PM
Some time ago, I've proposed something different: adding Two-Factor Authentication (2FA) to HFS (https://rejetto.com/forum/index.php?topic=13062.0)

Seems the account notes key (https://rejetto.com/wiki/index.php?title=HFS:_scripting_commands#Account_manipulation) can be used to store the second password, and even more ;) So this is also possible :D
Title: Re: Encrypt password between client and server
Post by: Mars on September 30, 2020, 04:34:05 PM
In the long term, the password that can be displayed in clear in the options should disappear to make room for an encryption in the form md5 or sha256 or compatible with the password file under linux, the various forms of authentication between clients and server would be adapted and thus avoid to be able to hack clear identifiers in the ini file,

the current problem is to find a standardized format for sending encrypted data in binary or text form in the forms and to recover it correctly whether in ansi or in widestring, the conversion and interpretation of the data received byte by byte complicates a little the thing, I had made an attempt by codifying the whole in the form of hexadecimal data, but not being at the top on the javascript, the encoding then the decoding gave constantly discordant results so I left aside in waiting for rejetto to have enough time to go back to hfs