0

In order to respect the users' privacy, I need to encrypt each user's information with a key that only they themselves know it. Server and anyone who can access the server or database are not supposed to be trusted

So, I am going to use each user's password to encrypt his/her security critical data. and this is the reason that I need to store the password while the session is alive, in order to encrypt and decrypt their informations.

And here is the question: If I save the password in a session, is it possible for an attacker with full access to the server to retrieve stored password from the session?

Soroosh Ghaffari
  • 33
  • 5
  • 2
    So, you want to save the password on the server but you also say the server can't be trusted, then why do you want to save the password on the server? Contradiction contradiction... – Charlotte Dunois Mar 18 '16 at 18:03
  • In order to achieve this you need to encrypt/decrypt data on the clients computer, not the server. But you can not use JS, as if you can not trust the server you can not trust the server to serve the correct JS. And can you really do it at all? Can you trust the clients computer...? – JimL Mar 18 '16 at 18:08
  • If you are trying to encrypt the data via the password salt then only the password will be able to decrype the data. You wont be able to do any processing on the data because of it being scrambled, or at least the user table data would if you abstract the contents from the actual users. The question though is.... If it is known that the server cant be trusted, the users may not believe that the server is actually encrypting the data at all. – Fallenreaper Mar 18 '16 at 18:08
  • Passwords shouldn't be retrievable. Hash them and have them be reset if they need to be retrieved. – chris85 Mar 18 '16 at 18:08
  • i dont like md5 anymore, but i usually do a dbl hash. once on the client, once on the server. That way data over the wire isnt plain text, but at the same time, just in case the users manage to disable the hashing clientside via javascript, at least the extra hash keeps it safe in the servers.. – Fallenreaper Mar 18 '16 at 18:10
  • Short Answer: Yes an attacker with full access to the server can retrieve the password from the temp session file – cmorrissey Mar 18 '16 at 18:11
  • @Fallenreaper use TLS (SSL) to encrypt data in transport, don't use MD5 at all for passwords. – JimL Mar 18 '16 at 18:12
  • @CharlotteDunois the session is the only place that the password is stored in and I am not sure that is it secure to do it this way or not? So, I am asking... – Soroosh Ghaffari Mar 18 '16 at 19:34
  • @Fallenreaper I am going to grant read access to users on application directory, so that they can assure encryption is done! – Soroosh Ghaffari Mar 18 '16 at 19:38
  • @cmorrissey are you sure about this? can you please guide me about how is it done? – Soroosh Ghaffari Mar 18 '16 at 19:40

2 Answers2

2

You question doesn't make a lot of sense.

I need to encrypt each user's information with a key that only they themselves know it.

You're talking about end-to-end encryption

I need to store the password while the session is alive

You know the users' passwords!

You should decide if you want to use end-to-end encryption (where they key never leaves the user's computer), or not.

is it possible for an attacker with full access to the server to retrieve stored password from the session?

Yes

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152
  • It's not about end to end encryption. All the encryption is done in the server side. I don't save user's password, so I don't know it (I use hashed password) the only place that password is stored in as plain text is in the session – Soroosh Ghaffari Mar 18 '16 at 19:31
  • @SorooshGhaffari well you should if `Server and anyone who can access the server or database are not supposed to be trusted` – Neil McGuigan Mar 18 '16 at 19:33
1

Short Answer: Yes an attacker with full access to the server can retrieve the password from the temp session file.

Here is a quick example where we place the session file next to our php file and then read its contents.

<?php

session_save_path('./');
session_start();

$_SESSION['password'] = 'xc4qh8wzza1xmx6vhf0nfuzluigqxlj';

echo file_get_contents('./sess_' . session_id());

?>

The result is

password|s:31:"xc4qh8wzza1xmx6vhf0nfuzluigqxlj";

As you can see the data is stored in plain text and can be easily read.

cmorrissey
  • 8,493
  • 2
  • 23
  • 27