One password for Drupal login and data decryption.
| Project: | Client Side Encryption |
| Version: | 6.x-2.0 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
First, thanks for the module. It (almost perfectly) suits a potential project I have been researching.
For this project, it would be ideal if one would be able to use a single password to both log-in to Drupal and to decrypt content.
Instead of the use case where multiple people with different privileges would have access to the same node (and be able to access encrypted data using a second password), only the user who created a node would have access to it.
Correct me if I'm wrong but the process would look something like this:
- User visits Drupal site and enters his username and password into the login form.
- The client side script hashes the password and submits the username and login.
- Server validates that the username and hashed password are correct. The user is now logged in.
- The server will subsequently serve pages containing encrypted data (that was previously provided by the same user and encrypted client-side before submission).
- Since the password was previously entered at login, it could be used again by the client to decrypt data on the page.
Does that make sense?
I realize that Drupal currently accepts a cleartext password and hashes it before storing in the DB. I have not problem making the necessary PHP changes to modify this. My problem is the client-side stuff.
Let me know what you think. Cheers!
Mark
#1
To clarify step 2. above:
2. The client side script hashes the password and submits the username and login.
Should read:
2. The client side script hashes the password and submits the username and hashed password.