#native_company# #native_desc#

Write an Ajax-driven Login Application in PHP Using SSL/TLS

By Octavia Andreea Anghel
on September 8, 2010

In this article you will learn how to write a login application in PHP using Ajax and SSL/TLS in two ways:
  1. Using aSSL (Ajax Server Secure Layer), a library that implements a technology similar to SSL without HTTPS
  2. Using simple Ajax and OpenSSL, an open source implementation of the SSL and TLS protocols

What aSSL Is and How to Use it

The aSSL library is distributed under the MIT License, and it is implemented by using two components:
  • A client-side component, which is always composed of JavaScript files
  • A server-side component, which depends on specific languages such as PHP, Java, Ruby, JavaScript, etc.
The aSSL library enables the client side to negotiate a 128-bit random key with the server using the RSA algorithm. This algorithm is for public-key cryptography and it involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can be decrypted only with the private key. After the connection has been established, the data will be sent and received using the Advanced Encryption Standard (AES) algorithm. In cryptography, AES is a symmetric-key encryption algorithm based on a design principle known as a substitution permutation. AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits. Its cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext.
The latest aSSL library as of this writing, version 1.2.1, works as follows:
  1. The browser calls the server to start the process.
  2. The server returns its RSA part and the public key.
  3. The browser generates a random exchange 128-bit key, encrypts it using the server public key and passes the encrypted exchange key to the server.
  4. The server receives this encrypted 128-bit exchange key, decrypts it with its private key and, if the result is ok, returns the session duration time.
  5. The browser receives the session duration time and sets a timeout to maintain the connection.
To use the aSSL 1.2.1 library in PHP you should download the ZIP archive assl1.2.1PHP4.zip and then unzip this archive and put the subfolder assl in the Apache-specific folder.

Writing the PHP Login Application

After unzipping the assl1.2.1PHP4.zip archive in the specific Apache folder, you should see the structure of directories shown in Figure 1. This structure already contains a simple login application example, which I will explain in the sections to follow.

Click here for larger image

Figure 1. The structure of the assl subfolder after unzip the archive into the specific Apache folder
You can modify the index.php, login.php and conn.php PHP scripts to create a custom application that needs the cryptography implementation. In this section, I will explain this specific example using aSSL. In the next section, I will explain how to create an example that uses the Ajax and OpenSSL.

Note: All subsequent client/server exchanges via aSSL are encrypted and decrypted using AES. The aSSL library allows multiple secure connections to be established with one or more servers simlutaneously.

The listing of index.php (see Listing 1) establishes an aSSL-encrypted connection with the server. If successful, the time used to establish the connection will be listed. If not, a message error will be returned: “Unable to establish an aSSL encrypted connection.” The showConn is the function that the aSSL.connect method calls after the connection is established. After the connection has been established, a login attempt will begin by calling the loginGo function, which encrypts the querystring and runs the Ajax process using the POST method.
The login.php script used by this POST method starts a session as the AES key is stored in $_SESSION, decrypts the server request and outputs the result:

//start session as AES key is stored in $_SESSION
//require needed files
require_once 'assl-php/assl.php';
//decrypt server request
$decrypted = aSSL::decrypt($_POST['data']);
//get associative array from encrypted data
$res = aSSL::querystr($decrypted);

//valid users
$users = array('guru' => 'jolly', 'admin' => 'crazy');

$result = ($users[$res['nickname']] && $users[$res['nickname']] == $res['password']) ? 1 : 0;
//output result. It can be done with aSSL::send($result) if data returned to server should be encrypted.

The conn.php script launches the aSSL.connect method to establish the aSSL connection:

//start session as AES key is stored in $_SESSION
//require file with key(s)
require_once 'mykey.php';

// the aSSL library
require_once 'assl-php/assl.php';

// To establish the aSSL connection it is sufficient the following line:
aSSL::response(isset($_GET['size']) && $_GET['size'] == 512 ? $myKey512 : $myKey);

Figure 2 shows the aSSL login example output before inserting any values, and Figure 3 shows the output of this application after a successful login.

Click here for larger image

Figure 2. The aSSL login example output before inserting any values

Click here for larger image

Figure 3. The output of this application after a successful login
If you want to generate a RSA key, the aSSL library also has a tool for that (see Figure 4). You can generate a RSA key at the RSAKeyGenerator.asp link.

Click here for larger image

Figure 4. Generating a RSA key using aSSL tool
Using this library was not hard, and the example was very useful. You should implement it in your application at some point.