ok, here's an idea: Either use a script off the web, or write your own: During the initial SSL session setup: - send an e-mail to the client with a web page attached. (include instructions in the e-mail) Put javascript into the page to decrypt RC5 (apparently you can get a patch for MySQL to enable RC5 functionality) - During the session put the client's key & encrypted login details into a text file & have them save it to their hard disk - When the client wishes to view their login information, instruct the client to: - open the web page atached to the e-mail - use a form in the web page to browse for the text file they saved to their hard disk - use the RC5 decryption script embedded in the web page to decrypt the client login info or something like that... cheers, Gav -----Original Message----- From: Aaron Wolski [mailto:aaronjw@martekbiz.com] Sent: Wednesday, 20 November 2002 1:01 AM To: 'Jeremy Wilson'; 'Jason Vincent'; php-db@lists.php.net Subject: RE: Email Encryption? Hi All, I want to thank everyone for their suggestion. A short term solution we're simply going to remove the "username" from the email. This way if a hacker does obtain the email they don't have the complete details to gain access to the users account. I would like to know more about the code supplied below though. How does this work? As long as they HAVE a string that gets compared in the DB then what good is this? They can still gain access to the users account. Thanks again. Aaron -----Original Message----- From: Jeremy Wilson [mailto:jwilson@internetarmy.net] Sent: November 16, 2002 1:08 PM To: 'Aaron Wolski'; 'Jason Vincent'; php-db@lists.php.net Subject: RE: Email Encryption? $encrypted_string = md5(base64_encode($var.'secret key')); Pass the user name or password to $var and place text in to replace the words 'secret key'. -----Original Message----- From: Aaron Wolski [mailto:aaronjw@martekbiz.com] Sent: Friday, November 15, 2002 8:45 AM To: 'Jason Vincent'; php-db@lists.php.net Subject: RE: Email Encryption? Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -----Original Message----- From: Jason Vincent [mailto:jayv@nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; php-db@lists.php.net Subject: RE: Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -----Original Message----- From: Aaron Wolski [mailto:aaronjw@martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; php-db@lists.php.net Subject: RE: Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -----Original Message----- From: Aaron Wolski [mailto:aaronjw@martekbiz.com] Sent: November 15, 2002 11:36 AM To: php-db@lists.php.net Subject: Email Encryption? <OFFTOPIC> Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php This e-mail and any attachments are intended solely for the named addressee, are confidential and may contain legally privileged information. The copying or distribution of them or of any information they contain, by anyone other than the addressee, is prohibited. If you received this e-mail in error, please notify us immediately by return e-mail or telephone +61 2 9413 2944 and destroy the original message. Thank you. As Email is subject to viruses we advise that all Emails and any attachments should be scanned by an up to-date Anti Virus programme automatically by your system. It is the responsibility of the recipient to ensure that all Emails and any attachments are cleared of Viruses before opening. KSG can not accept any responsibility for viruses that maybe contained here in. Please advise KSG by return Email if you believe any Email sent by our system may contain a virus. It should be noted that most Anti Virus programmes can not scan encrypted file attachments (example - documents saved with a password). Thus extra care should be taken when opening these files. Liability limited by the Accountants Scheme, approved under the Professional Standards Act 1994 (NSW). Level 4 54 Neridah Street PO Box 1290 CHATSWOOD NSW 2067 CHATSWOOD NSW 2057 Ph: +61 2 9413 2944 Fax: +61 2 9413 9901 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php