JavaScript
  Home arrow JavaScript arrow Page 2 - Building a CHAP Login System: Encrypting D...
Dev Articles Forums 
ADO.NET  
Apache  
ASP  
ASP.NET  
C#  
C++  
ColdFusion  
COM/COM+  
Delphi-Kylix  
Design Usability  
Development Cycles  
DHTML  
Embedded Tools  
Flash  
Graphic Design  
HTML  
IIS  
Interviews  
Java  
JavaScript  
MySQL  
Oracle  
Photoshop  
PHP  
Reviews  
Ruby-on-Rails  
SQL  
SQL Server  
Style Sheets  
VB.Net  
Visual Basic  
Web Authoring  
Web Services  
Web Standards  
XML  
Mobile Linux 
App Generation ROI 
IBM® developerWorks 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
JAVASCRIPT

Building a CHAP Login System: Encrypting Data in the Client
By: Alejandro Gervasio
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 5 stars5 stars5 stars5 stars5 stars / 25
    2005-08-29

    Table of Contents:
  • Building a CHAP Login System: Encrypting Data in the Client
  • The basics of a CHAP login system: pros and cons of client-side data encryption
  • The making of a CHAP system: implementing a basic authentication mechanism
  • Completing the client code: defining the remaining JavaScript functions
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
    ADVERTISEMENT

    Building a CHAP Login System: Encrypting Data in the Client - The basics of a CHAP login system: pros and cons of client-side data encryption
    (Page 2 of 4 )

    Before I start writing some sample code, a few key concepts on CHAP login systems should be properly explained. Obviously, the main benefit of such a system is that the password is never transmitted to the server in plain text, in this way reducing the chances for a hacker to catch it with a sniffing program.

    However, there is a drawback that you should be aware of. Many login forms poorly implement CHAP systems, by simply transmitting the MD5 hash of the password without appending onto it a challenge string (usually a random value that the server sends to the client), which may lead to a potentially dangerous situation. Even when the password is encrypted with a MD5 hash, there is still the possibility of an interception. A hacker could sniff out the hash of the password instead of sniffing the password itself, and use it to gain access to the system, thus encrypting only the password quickly breaks down the method’s effectiveness.

    According to the above deployed concepts, for a CHAP login system to be reasonably effective, the MD5 hash of the password together with the challenge value combined should always be transmitted to the server. Otherwise, as I explained before, the login system might be a lot more vulnerable to hacker exploits.

    There is yet another obvious issue related to CHAP login systems implemented on web programs: their strong dependency on JavaScript for user data encryption. While on clients with JavaScript disabled the operability of the encrypting method is directly turned off, it’s possible to create a system which, when scripting is disabled, sends out the password in plain text, while on scripting-enabled browsers, it sends out the proper hashed value.

    As you can see, there are some key concepts to evaluate before you start setting up a CHAP login system, in order to provide users with an acceptable level of security when they log into your web application. Considering what I explained previously, it is important to make sure your login forms are still functional even if users are accessing your site with browsers where scripting has been turned off.

    Having pointed out the advantages and drawbacks of using CHAP in your web programs, now you can turn your attention to the practical aspect of the topic, by taking a look at an illustrative example, which is designed to implement basically the above deployed concepts. So, let’s move on and study the sample code.

    Next: The making of a CHAP system: implementing a basic authentication mechanism >>
     

    More JavaScript Articles
    More By Alejandro Gervasio


       · The first part of this three-part tutorial introduces the implementation of CHAP...
       · Is there any way I can convert this to a Java Applet?
       · It all looks good so far. I'm a little curious to know what exactly has to happen...
       · Thank you for your comments on this article. You can read the follow-up articles...
       · I guess there's a way. I'm not very versed in Java, but I'm pretty sure this can be...
       · Hello everyone,I was using this chap login with some modifications but I ended up...
       · Hello Edu,Thank you for posting your comments on my article about the CHAP login...
       · I know CHAP based systems can easily stop "replay attacks", but if the user's...
       · Thank you for commenting on my article. Now, regarding your post, I’m afraid you’re ...
       · Thank you for the reply. But allowing the user to log in by sending the password in...
       · Thank you again for the comments. Yes, you’re correct, but that’s precisely the...
       · Well-written article. Thanks.It seems that you have the MD5 of the user's...
       · Thanks for the kind comments on my CHAP article. Well, actually it doesn’t matter...
       · first of all thanks for the tutorial im sure many will find it useful and its...
       · Hey Alex, thanks for the comments, but I guess you miss the point of the article,...
     
    >>> Post your comment now!

    JAVASCRIPT ARTICLES

    - Validating Digits and Dates with jQuery`s Va...
    - Validating Ranges, Emails, and URLs with jQu...
    - More Uses for the jQuery Tooltip Plug-in`s b...
    - Building Image-Based Tooltips with the jQuer...
    - Using the jQuery Tooltip Plug-in`s bodyHandl...
    - Using Rangelength, Min and Max with the Vali...
    - Using Minlength and Maxlength with the Valid...
    - Modifying Tooltip Coordinates with the jQuer...
    - Applying a Fade Out Effect with the jQuery T...
    - Tracking Mouse Movements with the jQuery Too...
    - Checking Online Forms with the Validator jQu...
    - Nested JavaScript Functions as Objects
    - The jQuery Tooltip Plug-in
    - Active Client Pages at the Server
    - ACP Tab Web Page
    Find More JavaScript Articles






    © 2003-2009 by Developer Shed. All rights reserved. DS Cluster 4 Hosted by Hostway
    Stay green...Green IT