Support the ongoing development of Laravel.io →
Authentication Security
Last updated 3 months ago.
0

Well first of all, if you're transmitting the plain text password, then you don't need to do anything in Java. Just run that password through Auth::check($username, $password) and that's all you have to do.

However, you SHOULDN'T be transmitting that password as plain text, you should be two-way encrypting it first, and then sending it over SSL. You can't one-way encrypt with Bcrypt because the salt is 100% random. You will never be able to reproduce the same salt twice in order to compare the hash directly.

So what you do is this at a minimum (though this is not ideal)

http://laravel.com/docs/security#encryption

  1. Get the key that's set in app.config.php.
  2. Find an AES-256 encryption algorithm for Java, and also look up the cipher mode used by Laravel. Have to read through the source code to find out if it's something like CBC
  3. Use the key from app.config.php as the key for writing the encryption in Java
  4. Encrypt the user's password with that algorithm and key
  5. Send the encrypted password to Laravel, and decrypt it. It should decrypt fine since they used the same algo and same key.
  6. Check the password with Auth::check($username, $password).

However, what you really should be doing is public/private key encryption instead of encrypting with two private keys.

Basically you would generate a public / private key pair in Java one time, since Java is the app is the one doing the encrypting. Give the public key to Laravel ahead of time, and encrypt the password with the private key in Java. Assuming both are using the same algorithm, then you should be able to decrypt the password using the public key that you generated. You can store that key in a config in Laravel somewhere.

But in addition to all of this, you should also be using message signing with hash_hmac, and of course, transmitting everything over SSL.

Last updated 3 months ago.
0

First of all I already use a SSL connection and say it I have two thing two say about your answer (thanks for yout answer).

The first is that you mentioned AES-256, why? I think laravel use Bcrypt algorithm (http://laravel.com/docs/security#storing-passwords) , and the second is that private/public key that you propose is similar to SSL mechanism.

Thanks for your answer.

Edit: I enter in your link (laravel docs) and it mentioned AES-256. So what is the algorithm that laravel use? AES or Bcrypt?

Last updated 3 months ago.
0

Laravel uses Bcrypt for one-way hashing, and it uses AES for two-way encrypting.

As I said in the above post, you cannot use Bcrypt to create a determinate hash because the salt is randomized every time. You must two-way encrypt the plain text password, send that encryption to Laravel, decrypt it with laravel, and then use Laravel to check the password.

Last updated 3 months ago.
0

Laravel uses both for different things. For the auth class it uses bcrypt. Passwords shouldn't be reversible in the database. It also uses the Crypt class for anything else that needs to be protected but also decrypted. The default AES is rijndael-256 with CBC. You can find this at vendor/laravel/framework/src/Illuminate/Encryption/Encrypter.php

You encrypt the password on the Android app to make sure it won't be seen when transmitting, even over SSL incase of a MITM attack.

The flow @GRAgmLauncher is proposing is as follows:

  1. User enters password in Android app
  2. Android app encrypts the password with AES
  3. Android app transmits over SSL the username and encrypted password
  4. Your Laravel app decrypts the encrypted password
  5. Your Laravel app uses Auth::check to determine if the password was correct.
Last updated 3 months ago.
0

Sign in to participate in this thread!

LoadForge

Your banner here too?

RdlP RdlP rdlp Joined 12 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

The Laravel portal for problem solving, knowledge sharing and community building.

© 2022 Laravel.io - All rights reserved.