Thread

Hi,
I have been asked by my client to implement some security measures and I am looking for some help (and hopefully a plugin or two).

The key challenges are:

Authentication options - is it possible to change the control panel login so that the user would enter selected digits from their username and password? i.e. please enter the 4th, 5th and 8th digit of your password.

Encryption - is there a way of encrpting data that is enter into certain weblogs? They want users to enter financial information so it can’t be stored as plain text.

https - is it possible to change the control panel login and certain pages on the website so that they use SSL certificates?

Thanks in advance
Gary

Moved to HowTo by Moderator

Hi, Gary.

https - is it possible to change the control panel login and certain pages on the website so that they use SSL certificates?

Yes, it is. I’ve done it on a few client sites.

As far as the other items go, not directly out of the box.

I’m going to move this to the HowTo forum so that other members of the community can chime in.

Thanks Sue,
Regards the https, can you point my in the direction of anything explaining how to do it within the EE structure?

I looked into the Encyrption side of things and a few people state that they have used AEO encryption but I have not idea how to do it.

Gary

Authentication options - is it possible to change the control panel login so that the user would enter selected digits from their username and password? i.e. please enter the 4th, 5th and 8th digit of your password.

No, that’s not possible out of the box. Not saying it couldn’t be done, but you’d probably need to write your own authentication module.

Encryption - is there a way of encrpting data that is enter into certain weblogs? They want users to enter financial information so it can’t be stored as plain text.

Again, not out of the box. See this article for a recent discussion.

Hi Ingmar,

Thanks for your response. Have you ever used AEO encryption with EE? It seems to what people have used in the past but I dont really know anything about it.

Thanks
Gary

Do you maybe mean AES encryption?

Seems like you could do the encryption either in PHP or in MySQL (or whatever db you are using)

These look interesting:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html
http://www.ibm.com/developerworks/opensource/library/os-php-encrypt/

What kind of attacks do you think you are protecting yourself against by encrypting your data?  How do you expect to decrypt it in a way that would not also be accessible to the attacker?

The Grendel link above looks interesting as it uses the user password as the key.  This is good and bad I suppose.  You don’t really want to store the key anywhere on the server tho do you, otherwise what’s the point of encryption, right?

Not sure how this could be made to work with EE.

I am sure there are some smart folks doing this with EE, but it’s not clear to me how best to approach it myself.

Have you ever used AEO encryption with EE? It seems to what people have used in the past but I dont really know anything about it.

I don’t even know what “AEO encryption” is, so, sorry, no. I have done some trivial symmetric encryption, but that’s it.

The Grendel link above looks interesting as it uses the user password as the key.

What’s more, it’s a “public key” approach, meaning that not even the site owner can get at the data since only the owner has the corresponding private key.

You don’t really want to store the key anywhere on the server tho do you, otherwise what’s the point of encryption, right?

There are still plenty of scenarios where using symmetric encryption, even if you store the key on the server somewhere, makes perfect sense.

Not sure how this could be made to work with EE.

A custom module and/or extensions, most likely.

Thanks for all the info guys.

In case anyone is interested below is what I haev decided to do:
- Use the EE control panel as normal but apply SSL to the login screen
- Create a custom MySQL table within my EE database for storing my sensitive data
- Include a custom PHP script within an EE template. The custom PHP script will use public key encryption (http://www.webtatic.com/blog/2009/07/php-public-key-cryptography/)
- Write a simple desktop JAVA app to retrieve the data from the database and decrypt it using a private key locally.

A question that I still have is, how do I apply an SSL certificate to the login screen and change it to use https:// addresses. Also how do I change a couple of of EE templates to use https://?

Thanks again
Gary

- Write a simple desktop JAVA app to retrieve the data from the database and decrypt it using a private key locally.

Wow. I never would have thought of that. Let us know how that works out for you!

A question that I still have is, how do I apply an SSL certificate to the login screen and change it to use https:// addresses. Also how do I change a couple of of EE templates to use https://?

This looks like a reasonable approach, untested by me:

http://www.besthostratings.com/articles/force-ssl-htaccess.html

In case that URL changes, here’s what we’re talking about…

I think this code in an .htaccess file at the level of your control panel will do what you want:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ <a href="https://www.example.com/$1">https://www.example.com/$1</a> [R,L]

In case you wish to force HTTPS for a particular folder you can use:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$ <a href="https://www.domain.com/somefolder/$1">https://www.domain.com/somefolder/$1</a> [R,L]

You can get fancy and have it grab the hostname as well, makes your code more portable from development to test to production servers, using %{HTTP_HOST} but am not sure of the exact syntax.

Thanks Peter, that sounds like a sensible approach.

I will let you know how the JAVA app goes, I’ll be getting lots of help from a JAVA expert… no way I could do it on my own !!!