Building a CHAP Login System: Coding Server-Side Random Seeds

Introduction

In the previous part of the series, I provided you with core concepts related to client-side data encryption, through the implementation of the MD5 hashing algorithm in JavaScript. I also provided you with the basic requirements for building a login system, which offers a greater level of security compared to the vast majority of such systems found on the Web that usually transmit data in an unencrypted way.

At this point, hopefully you’ve understood the advantages and drawbacks of working with user-provided data, which is hashed in the client domain, and later transmitted for authentication on the server. As I previously discussed in the first part of the series, the most significant benefit of implementing such as system is obviously the fact that data encryption is performed via JavaScript, without the need to look at other solutions, such as https.

On the other hand, the use of JavaScript as the core encryption method reveals the strong dependency on scripting-enabled browsers for this technique to be successfully implemented. As you can see, good things come at a cost, and this one is no exception.

With the key concepts well understood, over this second part, attention will be turned to the server side, where authentication takes place. For this purpose, I’ll be illustrating some methods for generating random seeds, ranging from simple semi-random string generators to slightly more complex procedural approaches. Since all of the server source code will be developed in PHP, it shall be extremely easy to adapt it to working with the language of your choice.