From: Matt Liotta <[EMAIL PROTECTED]>
To: CF-Talk <[EMAIL PROTECTED]>
Date: Mon, 5 Jan 2004 10:25:27 -0500
Subject: Re: Password Logic
> but you only need the public key for password verification (eg encrypt
> th
> epassword again and verify the encrypted data). Only selected personel
> would
> have access to the private key in case anything needs to be decrypted.
> This
> could also happen from an intranet system that has access to the same
> database.
>
While you can use a public key to verify a password, you need the
private key to encrypt the password in the first place.
Actually that is not true.
Imagine the following scenario:
The webserver only has the public key. The user enters his password for the
first time and the webserver encrypts it using the public key (no problems
there, only someone with the private key can now read the password). To
verify the password the webserver only has to re-encrypt the entered string
and compare the two encrypted strings.
As for decrypting the password, this is not possible on the webserver itself
(it does not have the private key), but support personel working on a
different server which does have the private key can always decrypt the
string if the need should arise.
I have implemented this before, so I know it is possible. You just need to
pick the right method of encryption.
Jesse
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
