Flush 2006 - Ready for F8, MX2004 and MX
PHP5 (final release) - more fun with xml
Adding jsfl support to scite-editor
Extend the scite-editor - open files within localhost
Integrating context sensitiv help in scite editor
Using Robin Debreuil's Flush.exe with macromedia flash mx 2004
[OT] phpinfo on first april, lol
AS2: user-class-mc and attachMovie - nice trick...
Windows XP Home - Shared Folders
Good news for MoveableType-Users

January 2006
July 2004
April 2004
January 2004
December 2003
October 2003
August 2003
June 2003
May 2003
April 2003

Andre Michelle
Arul Kumaran
Barber's Pole
Danielle Ugoletti
Darron Schall
Eric D
Florian Krüsch
Guy Watson
Greg Burch
Ralf Bokelberg
Jabby Panda
Jean-François Bastien
Jesse Warden
Marcel Weilacher
Mike Chambers
Okyere
Oscar Trelles
Peter Elst
Peter Joel
Quasimondo
WaxPraxis
Zoode.org

ActionScript Cookbook
Test-Driven Development
Refactoring
Design Patterns
ActionScript for Flash MX - The Definitive Guide
Object-Oriented Programming with ActionScript
Programming C Sharp

www.moveabletype.org (blog)
www.voisen.org (MTCodeBeautifier)
www.bradchoate.com (MTMacro)
www.beautifier.org (beautifier)

www.ritzelmut.de
Kreuzfahrt
Fussballwetten

view
download

Abstract

Internetapplications where users have to loged in to be allowed to do operations,
have to be secured against not authorized persons.
Therefore the server have to examine wether a client is authorized before the
execution of the query.
Who a SSL server has available has finally no problem, which concerns security.
Whole server client communication is coded and safe.
In contrast to it the unencrypted transferred signed operations those stand only
guarantee that the operation could only from an authorized client executed.
These are to be supposed to be introduced here.

Safety aspects

• Identity of the sender
  Identity-Check, Autentication


• Preven Monitoring
  This is with the procedure presented here not possible, because we use
  only not
  decodable Hash-Codes


• Authenticity
  This is guaranteed by our Hash-Codes


• Rebring in from messages
  Prevented by our Operation-Keys, which will unulled after usage

Message + Signature = Authenticity


Signature

The authorized client can sign its message. Nobody else can do that,
since he does not have the appropriate password. We use thus the password
and user name as keys or seals.


Security of the password

The password is uncertainly as soon as it in the plain language will
transfer.
We can do it crypts in which we it with a One Way Hash Algorythmus(z.B.: MD5
or SHA1)
into a hash code transform. But if we now transfer, our aggressor only needs
this Hash-Code,
to snap open around himself log in and/or execute an critic operation.
That is a problem and can by the Operation-Key be solved.


Operation-Key

Before the client can call an operation on the server he muse retrieve an
Operation-Key.
This consists of a coincidental not guessable character string. It is valid
only for one operation and
must be sent with the call of an operation.
This Operation-Key will stored in a session so that each user have always
its own Operation-Key

Signature = md5(Message + operationKey + password + username)


Validating

To examine this correctness of the received data, the server builds
md5-Hashes
from the sent message, the current Operation-Key and the passwords from the
user DataBase
if none this Hashes with the conveyed mark agrees the desired operation is
not implemented.
If he finds the suitable md5-Hash we have guaranteed that the operation was
not manipulated
or forbidden.


MySQL-Query that trys to find an user
SELECT * FROM `$dbTable`
WHERE MD5(CONCAT(`$dbColUser`, `$dbColPassword`, '$operationKey',
'$callString')) = '$checksumClient'

Great example, thanks for posting ... MD5 hashing is a good way to introduce security into Flash Remoting projects.

You might also consider SHA1 160-bit hashing which would give even greater security, though for most projects MD5 does the trick.

Thanks, i have just seen that since PHP 4.3.0
there is also an sha1-Implementation(http://de3.php.net/sha1)
and Brandon Hall(http://www.waxpraxis.org) convertet
it for actionscript, so we can easily switch.

Hehe Peter,
i have just seen that you also have written
an sha1-implementation for PHP, thanks for
that good work.

Thanks, I ported it from Branden's ActionScript version but its currently still in beta so no promises that it is 100% accurate (haven't had any problems so far) ;)

I don't get exactly how you transfer your operation key. Usually in crypto, you'd use an asymmetric algo (private and public key to transfer a session key, and then use symmetric encryption to do the rest of the operations. You do that because asymmetric encryption is much slower than symmetric encryption. Is that what you're using to transfer your operation key?

Also your signature protocol seems weird. On page 103 of "Practical Cryptography" (B. Schneier & N. Ferguson), you have a good description of Message Authentication Codes (MACs).

Thanks for the Comment.
The Operation-Key is tranfered by the following Webservice-Method:

function getOperationKey ()
{
// start a session with the user
session_start();

// store the operation-key for the
// next operation
$_SESSION["OPERATION_KEY"] = md5(microtime() * 1234567);

return $_SESSION["OPERATION_KEY"];
}

I use the Operation-Key for md5-hashing on Client-Side:
md5(username + password + message + operationKey).
This md5-Hash and the orginal message(Method-Call)
will transfered to the server.
The server know needs to check the Authenticity of
the Message, so he builds his own md5-hash with
the transfered message and in the stored username
and password and the operation-Key from the current
session.

Now he can compare boths md5-hashs to check Authenticity.

The only Problem that i can see is that the message
will transfered in clear language, so anybody can
read it. But for many Admin-Operations as Deleting
Files or Database etc. this would be enough security.

If we need more security we have to use an SSL-Server.

I think the Flash-Player is to slow to calculate
encryption with 128-bit or more.

Hi hOk,
Thanks for the example - I implemented a version of your downloads on my own server testing against MySQL for authentication and it works well! However - I'm not quite following the procedure when calling other methods - should each method call be accompanied by a getLogin() to authenticate? Can you give an example of another signed operation call? For example - a user logs in (getLogin()) and then attempts to delete a record using another method (deleteRecordAt(record_id)) with a 'record_id' parameter. How would you handle this?
Thanks!
Stefan

Hi Stefan,
each service-method should implemented like the login method, but can have additional parameters.
Example:

function deleteRecord($checksumClient, $recordId)
{
$callString = "deleteRecord(";

// Add the additional arguments to the callstring,
// so if did the same thing in Flash we could be
// shure the don't deal with manipulated values.
//
// ::ATTENTION::
// Maybe the string representation in flash is
// an other one then in PHP, so we have to take
// care of this code-part.
for ($i = 1; $i checkAllowed($checksumClient, $callString))
{
trigger_error("Operation not allowed for the current user!", E_USER_ERROR);
return;
}

// record deleting code...

return true;
}

Inside the Flash-Document, you dublicate
the button code and replace, getLogin by
deleteRecord. Then you have to configure the
callString-Variable from 'deleteRecord()' to 'deleteRecord(42)'.

regards, Holger

Thanks Holger!
I suspected it might be like that but wasn't confident enough to go ahead and implement everywhere.
regards
Stefan

Yes, the documentation and the interface could
be better.
Just a tip, you could return the operation-key
from any service-method, this would make the
code on flashside easier.

regards, Holger

Ah, so, store the initial authentication and re-use it for subsequent method calls? I did wonder whether you actually ever remotely called your destroySession() method as it is never called internally in the getOperationKey() method - is that an omission or was it a conscious decision to make the above suggestion possible?

I don't understand exactly what you mean.
You could call getOperationKey as Service
from flashside before calling an other Servic-Methods.
Thats exactly what the login-Script on flashside
does.
But if your service-method returns the next operation-key,
you got it on flashside, so you don't need to
call getOperationKey before calling the next
service-method.