Once more I will pick a question from a chat discussion as starting point for a little article. The question was how to use SHA256 in JavaScript. Of course you may wonder what SHA256 is, well to make a long story short, it’s a replacement (more secure) version of the well known MD5 “digest” function or hash function. Basically MD5 or SHA256 are functions which take some string and produce a binary short identifier for it. That means, you can in theory have more than one initial string which produce the same identifier, but it practice it’s very unlikely and it is certainly extremely difficult without doing a brute force attack (more on this later) to find a possible string out of those identifiers. Those functions are also called one way cryptography, as it allows you to encrypt something but you cannot normally go back to the original message.
You know now what those function are, but how useful is it? Well maybe you don’t know it but all the communication between the browsers and the servers are PLAIN TEXT which means anybody between the browser and the server could see the data exchanged without any problem. This is valid for all the GET, POST parameters as well as for the cookies or anything else exchange. The only way to prevent this is to use the HTTPS (S for Secure) protocol instead of the normal HTTP one. However there is a few issue with the HTTPS, first of all it requires a server certificate, and if you don’t purchase one you will force your users to go through some odd browser acknowledgment which basically says: “Yes I agree and understand that this certificate is not valid or unknown”. There is some cheap certificate (look for Go Daddy for example, but normally an SSL certificate is expensive and needs to be re-installed every year. Another problem with HTTPS is that it requires some more CPU on the server as well as on the browser side.
So if you don’t use HTTPS as most web sites out there, you are in the risk that somebody steal the passwords players or admins use to log in on your site. And here we can use those “digest” functions mentioned above.
The idea is that you take the password given by your player, encrypt it on the browser side via JavaScript, and then send the encrypted string over the network. The advantage is that if somebody is sniffing your traffic he/she will not be able to read / know the password used. However this is only a first step, as this person could use the exact same encrypted string to be able to log in as well. So the solution is to concatenate the IP of the client as well as the password together and then make the MD5 out of it, on the server, as you cannot decrypt you do the same job take the user password out of the DB, glue it to the browser IP, feed it to the MD5 function and see if it matches with what you got from the player. By doing so, you ensure the same encrypted string cannot be shared along other PC if they use different IP. You could further improve it by using a cookie or some other kind of session identification so that only that browser will be accepted for that session and not all browsers / pc sharing the same IP.
As this could be somewhat difficult to understand just like that, I prepared you a full script (PHP and JavaScript) to see how things works. The first (and biggest) part of the JavaScript as you will see is taken from internet, so if you use it, please leave the copyright. For the remaining parts you can use it as you want.
The script:
http://base.nowhere-else.org/tutorials/check_pass.zip
No User Responded In This Post
Leave A Reply