Current implementation of dokeos_sso_auth() for D6 and D5 uses sha1(user_password) as a "secret" shared Dokeos LMS and
Drupal. Problem is that D7 is now storing obfuscated version of password+salt, so the 'secret' had to change.

I have committed a new version using sha1(dokeos_app_key) as the 'secret' and had to patch current Dokeos LMS implementation of SSO auth.

Please do some testing but D6 and D5 are our priority (in order to release 1.0)

Comments

ywarnier’s picture

ywarnier commented

What changes did you do to Dokeos exactly? I'm not sure we can nicely support 2 types of encryption (depending on the version of Drupal) and still say that we are not affecting Dokeos' performance... :-/

develcuy’s picture

develcuy commented

By first we should improve security. Actually, mollom module, uses private and public keys to communicate to its SPAM prevention services.

I like AES http://www.phpclasses.org/browse/package/4238.html and sha1 keys. So, the flow might be:
1. Drupal is Master :P
2. Dokeos is Slave
3. Slave crypts all his communication with private key using public key as username :)
4. Master crypts all communication with Slave identified by public key using corresponding private key

Blessings!

ywarnier’s picture

ywarnier commented

I don't understand where the public/private key pair resides in AES or SHA1... If you only ever encrypt things on one side and don't send your public key to the other side...
From what we had discussed at the time, the only way to get true public/private associations in PHP over HTTP is actually to use HTTPS... remember?
Either way, we (dokeos) would welcome a move from MD5 to SHA1, but I thought it was already the case, as one of the corresponding lines of Dokeos says:

if ($sso['secret'] === sha1($uData['password']) && ($sso['username'] == $uData['username'])) {
develcuy’s picture

develcuy commented

The use of HTTPS is a recommendation but we should provide some "secure" way, better than our current one.
AES is really good to encrypt with a given key, that key might be a SHA1. And AES have a pure PHP implementation, seems like a good suite for me, at least for shared hosting.

ywarnier’s picture

ywarnier commented

OK, so knowing that we already have an SHA1 key, we just need to implement AES then. Any hurry or should we leave it for the 7th of November meeting?

develcuy’s picture

develcuy commented

Bad news, SHA1 is not considered secure anymore, see: http://www.apache.org/dev/openpgp.html#sha1, http://www.apache.org/dev/release-signing.html

develcuy’s picture

develcuy commented

Just found we can use built-in hash() function:

print hash(’sha256′, ‘The quick brown fox jumped over the lazy dog.’) . "<br>\n";
print hash(’sha512′, ‘The quick brown fox jumped over the lazy dog.’) . "<br>\n";

+1 for sha256

develcuy’s picture

develcuy commented
Project: Dokeos Integration » Chamilo integration
Version: 7.x-2.x-dev » 7.x-1.x-dev