Home arrow JavaScript arrow Page 2 - Building a CHAP Login System: Encrypting Data in the Client

Building a CHAP Login System: Encrypting Data in the Client

Web developers concerned with the security of their applications face one of their worst fears every time someone logs in: the possibility that passwords will be passed in plain text. Fortunately, there is a way to avoid this security risk. In this article, the first of three parts, Alejandro Gervasio helps you tackle this problem with a Challenge Handshake Authentication Protocol login system.

Author Info:
By: Alejandro Gervasio
Rating: 5 stars5 stars5 stars5 stars5 stars / 38
August 29, 2005
  1. · Building a CHAP Login System: Encrypting Data in the Client
  2. · The basics of a CHAP login system: pros and cons of client-side data encryption
  3. · The making of a CHAP system: implementing a basic authentication mechanism
  4. · Completing the client code: defining the remaining JavaScript functions

print this article

Building a CHAP Login System: Encrypting Data in the Client - The basics of a CHAP login system: pros and cons of client-side data encryption
(Page 2 of 4 )

Before I start writing some sample code, a few key concepts on CHAP login systems should be properly explained. Obviously, the main benefit of such a system is that the password is never transmitted to the server in plain text, in this way reducing the chances for a hacker to catch it with a sniffing program.

However, there is a drawback that you should be aware of. Many login forms poorly implement CHAP systems, by simply transmitting the MD5 hash of the password without appending onto it a challenge string (usually a random value that the server sends to the client), which may lead to a potentially dangerous situation. Even when the password is encrypted with a MD5 hash, there is still the possibility of an interception. A hacker could sniff out the hash of the password instead of sniffing the password itself, and use it to gain access to the system, thus encrypting only the password quickly breaks down the methodís effectiveness.

According to the above deployed concepts, for a CHAP login system to be reasonably effective, the MD5 hash of the password together with the challenge value combined should always be transmitted to the server. Otherwise, as I explained before, the login system might be a lot more vulnerable to hacker exploits.

There is yet another obvious issue related to CHAP login systems implemented on web programs: their strong dependency on JavaScript for user data encryption. While on clients with JavaScript disabled the operability of the encrypting method is directly turned off, itís possible to create a system which, when scripting is disabled, sends out the password in plain text, while on scripting-enabled browsers, it sends out the proper hashed value.

As you can see, there are some key concepts to evaluate before you start setting up a CHAP login system, in order to provide users with an acceptable level of security when they log into your web application. Considering what I explained previously, it is important to make sure your login forms are still functional even if users are accessing your site with browsers where scripting has been turned off.

Having pointed out the advantages and drawbacks of using CHAP in your web programs, now you can turn your attention to the practical aspect of the topic, by taking a look at an illustrative example, which is designed to implement basically the above deployed concepts. So, letís move on and study the sample code.

blog comments powered by Disqus

- Project Nashorn to Make Java, JavaScript Wor...
- JavaScript Virus Attacks Tumblr Blogs
- Google Releases Stable Dart Version, JavaScr...
- Khan Academy Unveils New JavaScript Learning...
- Accessing Nitro? There`s an App for That
- JQuery 2.0 Leaving Older IE Versions Behind
- Fastest JavaScript Engine Might Surprise You
- Microsoft Adjusting Chakra for IE 10
- Brendan Eich: We Don`t Need Google Native Cl...
- An Overview of JavaScript Statements
- An Overview of JavaScript Operators
- Overview of JavaScript Variables
- More of the Top jQuery Social Plugins
- The Top jQuery Social Plugins
- More of the Top jQuery Slider Plugins

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials