6.1 Secure communications and encryption

Motivations
- How to trust a web site that says it is eBay or CS?
- How to send a credit card number in a secure manner?
- In TRUQA and TRU Messenger, you will need to send the username and password. The username and password are not encrypted. Can anybody read the username and password during the transmission to the server?
- Assuming there is a way to send the username and password in a secure manner, do we still need strong passwords?
- As a system administrator, how can you trust users?
- Check the URL field on the top of the browser. Do you see the 'https' instead of 'http'?
- How about the user authentication used for this section?

Secure communications, and encryption and decryption
- Is it safe to send username and password as plain texts? Here are some issues that you still need to solve.
  - Server (or website) authentication - how to authenticate a server?
  - User authentication - how to authenticate a user?
  - Secure channel - how to send data through a secure channel?
  - How to use encrypted password at the server-side?
  - Encryption and decryption - how to encrypt data?
- Download PHP secure communications and encryption, and read the slides 3 ~ 22.
  - How can you trust a web site?
  - List the two types of authentications.
  - What information can you obtain from a digital certificate?
  - How can you check if HTTPS is not being used?
  - How can you redirect the HTTP connection to HTTPS?
  - Is it a good idea to store passwords in a database table as plain text?
  - What is a hash function?
  - Can you store encrypted password into your 'username_password' database table?
  - Trial 1: Slides 16 ~ 17 - Let's try to add a new user with encrypted password.
    <?php $username = 'jwilliams'; // just for testing $password = 'topsecrete'; $hashed_password = ???($password); // hash function $query = "insert into Users (Username, Password) values (???, ???)"; // save hashed_password // ... echo $password . ' -> ' . $hashed_password; // just for testing ?>
  - Trial 2: Slide 22 - Let's try to ask the user to enter username and password using 'Basic Authentication'.
    <?php $username = $_SERVER['PHP_AUTH_USER']; $password = ????; // PHP_AUTH_PW if (????($username) || ????($password) || $username != 'comp3540' || $password != ???) { header('WWW-Authenticate: ??? realm = "My Realm"'); ???('HTTP/1.0 401 Unauthorized'); exit(); } else echo 'Valid username and password<br>'; ?>
  - [You may skip the remainders.]
  - How to encrypt and decrypt data?
    1. Decide the cipher algorithm and mode.
    2. Get the IV (initialization vector) size.
    3. Create the IV.
    4. Encrypt data with the key, ...
  - How to send encrypted data?
    - base64_encode()
    - base64_decide()
  - Trial 3: Let's just try the next example to see how encryption/decryption work. The execution might take some time. This is because of mcrypt_...() functions. Just wait till you see any result.
    <?php // Both sides $cipher = MCRYPT_RIJNDAEL_128; $mode = MCRYPT_MODE_CBC; // cipher block chaining $key = sha1('secretPassword', true); // true => raw_output; ??? // how to use SHA256 instead? // Sender $credit_card_no = '4111 1111 1111 1111'; $ivs = mcrypt_get_iv_size($cipher, $mode); $iv = mcrypt_create_iv($ivs); $data = ???($cipher, $key, $credit_card_no, $mode, $iv); // encrpt it $data = base64_encode($data); // to help the data survive going // through transport layers echo 'Encrypted and encoded data: ' . $data . '<br>'; // transmit $data through the Internet // Receiver $data = ???($data); // decode it $credit_card_no = ???($cipher, $key, $data, $mode, $iv); // decrypt it echo 'Decrypted, i.e., original, data: ' . $credit_card_no . '<br>'; ?>
  - How to send error message back?

Learning outcomes
- List the four issues concerning security.
- Distinguish the user authentication and the server authentication.
- How to authenticate servers using digital certificates.
- How to authenticate users using passwords.
- How to redirect to HTTPS.
- How to hash user passwords for user authentication.
- How to encrypt/decrypt data.