[disc] secure communication flash-php

[DominumBelli]

In theory, how would one go about ensuring secure communication between flash and some server backend script (I use php), to prevent a third party from imitating a logged in user? Perhaps by sending a request to a .php with &username="XXXXX". I have to admit, my knowledge of the possible ways to hack flash/etc or pretend to be some other IP is limited....but what guidelines would you suggest to follow?

The ideas I've had so far:

1) User logs in. Server checks user/pass, create random key for the ip of user. Create session entry in database with user ip and key.
2) Each time user sends data to server, encrypt using gey generated
3) Server receives data, unencrypts data based on ip of the user that sent the data.
4) When user logs out, or there is no communication for X mins, remove user session.

Hope that explaination made sense.

[Ihoss]

That is the hardest thing to do. Nobody knows of a perfectly safe method, as people can just decompile the flash or access the php through a form. If you figure out a secure way you can sell it for $1 million to MM (but tell me first )

[DominumBelli]

pssst, Ihoss...here's the secret
oh ****, everyone else saw....

anyway....that was why I was thinking of getting the server to generate a session when the user logs in with their username/password,
even if the flash is decompiled, or the php is accessed from a form, without the key the .php can reject it.

does this make sense to anyone except me....or has this now half empty bottle of red wine affected my ability to think past the point I should be posting on FlashKit...?

[Soccr743]

If this is for a login here is how you could do it...

If the user has not been registered and they can do that then when they hit the send button to register it uses a hash function to encrypt their data. A hash function is unencryptable, it is like a one way deal. It does not require a key, it just uses the letters already available in the message it is encrypting...

This would be an idea for making one, this is just a basic one and if i have time i might post the code up for one i will make...

Get the password and then keep repeating it till it gets to a preset length of lets say 30 chars. Then you take that and XOR the first and the second, the third and the fourth, and so on till you are down to 15 characters. Then what you can do is do a bitshift. Like move each char 15 bits to the left. Then you still have 15 chars and you can store that in your database...

That hashed password and username, although you just need to hash the password, is stored in a data base that you have...

Then when the user tries to login he types his user name and password, which are hashed when he hits login, and flash sends those variables to the server. Then php checks the hashed values sent with the hashed values in the database. If it finds a match then they are in...

Dont do the ip thing because there are so many people out there with dynamic ones. Well for my idea you would not need to get their ip...

So no matter what they could not login because if they got the hashed password then if they applied the hash to that it would give something completely wrong...

If you use this could I see the outcome



-----Soccr743-----

[X-Tender]

You can also try to encode your URL in the flash file TEVAS and ASO (google cant remember the url).
But the problem is still that you need to insert your password into the swf.

If you make an EXE:
For an secure password save you need the "Flash Studio", it can include variables secure into the exe that you cant see if you decompile the SWF. Thats a good way i think. But its very expensive, if oyu only need this feature.