phpsecurityldapsecurity-by-obscurity

Secure Connection to LDAP Server


I am using a hash to encrypt and decrypt my passwords which I am sending to a cass construct. Exampled below:

 public static function HashPassword ($Password){
        $salt = self::$Salt;
        return trim
            (base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $salt, $Password, MCRYPT_MODE_ECB, mcrypt_create_iv(
            mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
    }//Get hashed Password

Then the decrypted which is in a protected static function

 protected static function DecryptPassword($Password){
        $salt = self::$Salt;
        return trim
                (mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $salt,base64_decode($Password), MCRYPT_MODE_ECB, mcrypt_create_iv(
                mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
    } // Decrypt the password

I am then calling the connection via:

$Connection = LDAP::Connect('LDAPSERVER','LDAPLOGIN','onVidHn5r4WNyxzlDHD8TvUY9AjyiHg+ZC5PoOhIXkU=');

For security reasons, I have implimented a dummy password and hidden my server credentials.

The connect function :

 public static function Connect($Host,$Username,$Password){
        self::$Host = $Host;
        self::$Admin = $Username;
        //Assign to global variables to be used throughout this framework
            $Password = self::DecryptPassword($Password);
        self::$Password = $Password; // Assign the decrypted password

        $LDAPServer = ldap_connect($Host);
        $Connect = ldap_bind($LDAPServer,$Username,$Password);
        if (!$Connect){
            die ("Cannot Connect To LDAP Server");
        }
    }

My overall question is that is this a valid method of security for transmitting the password with a secret salt to my API?

it's preference for me not to input passwords as plain text:

ldap_bind('host','user@server','PlainTextPassword');

The above is an example, which to my preference is something I cannot accept.

So Is this a valid method to securely connect to my LDAP server using the TCP protocol?

Although the looks of this question, I can confirm that I can successfully connect to my LDAP server providing the right credentials are input; so this is not a problem. I'm merly asking from a security aspect, without my the security knowledge, I do not wish to compromise the data or the server in anyway shape or form, hence why this is in production phases and only accessible to one user which is myself.


Solution

  • This is completely pointless, I'm afraid.

    This does not give you any additional security in terms of establishing the connection to the server, as the password is still transmitted to the server in its decrypted form. The only thing this does is obfuscate the password in your source code - and I say "obfuscate" rather than "encrypt" because all the necessary information to decrypt the password to its source text is also contained within your source code.

    So Is this a valid method to securely connect to my LDAP server using the TCP protocol?

    No. If you want a secure connection, you will need to use LDAP over SSL.