Building a CHAP Login System: Encrypting Data in the Client
Web developers concerned with the security of their applications face one of their worst fears every time someone logs in: the possibility that passwords will be passed in plain text. Fortunately, there is a way to avoid this security risk. In this article, the first of three parts, Alejandro Gervasio helps you tackle this problem with a Challenge Handshake Authentication Protocol login system.
Building a CHAP Login System: Encrypting Data in the Client (Page 1 of 4 )
For most web developers, creating login forms to interact with web programs can be a sometimes frustrating experience. And each time I sit down to code some forms, Iím assailed by a feel of distrust that affirms my deepest fears, particularly when I think that passwords will be passed in plain text whenever users try to log in to the application. Certainly, this feeling might be considerably mitigated if I get into the implementation of straightforward solutions such as https, but unfortunately for many websites, this is still a long way from being an acceptable option.
Even if I were to code the login system while bearing in mind some kind of persistent mechanism like session cookies, to avoid subsequently transmitting login data from page to page, passwords would still be passed in unencrypted form to the server -- at least for the first time users attempt to log in. However, despite the complexities inherent to transmiting sensitive data across an insecure network, there is a fairly straightforward method for tackling the problem.
Certainly, the clearest advantage of this method rests on the fact that the password is never sent as clear text from the client to the server, thus the possibilities of being sniffed out by a hacker are significantly reduced. Now that you have a pretty clear idea of how sensitive data, and particularly passwords along with challenge values, can be encrypted in the client, itís time to go further into the real implementation of a CHAP login system.
With the preliminaries out of our way, letís get started.