Hi,

as far as I can see, the keydata is stored unecrypted in the database. Beside a serialization of the token data, no care us undertaken to protect the key data.
For a module with the purpose to provide a safe login method, I think it would be better to encrypt the token data, if for example the aes module is installed: http://drupal.org/project/aes.

attached the few lines of code, which would be needed.

Best

CommentFileSizeAuthor
encrypt-data.patch807 bytesMartin Klinkigt
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Jelle_S’s picture

Status: Active » Closed (duplicate)
Jelle_S’s picture

Status: Closed (duplicate) » Active
attiks’s picture

Apparently aes module does more than providing encryption, see #1762716: separate password viewing feature from rest of module

Are there alternatives?

Martin Klinkigt’s picture

Yes this is right. The module offers more than only encryption.This might be due to, that at least some install it.
But I read that http://drupal.org/project/encrypt also uses AES and both modules want to merge together (http://drupal.org/node/607918).

My decision for AES was, that it is user more often and so might be more mature.

Until these two merge together, we might can offer encryption with both. I think a module which really only makes encryption is hard to find, since this module will attract much attention for the maintainer. But doing such encryption again in the GA Login code is also not so good I think. The important encryption seed should not be stored in the database, but on the harddisk. This is was AES offers. Setting this up takes quite some lines of code. Furthermore, the best is to use the mcrypt php extensions. But not all servers have this installed. AES takes care to find all needed libraries and makes its on local php encryption if it cannot find mcrypt. To copy such code is also not good I think.

Therefore, because for good encryption several elements are needed and maybe its own maintainer, I think an specialized module is the best.

best regards

attiks’s picture

Assigned: Unassigned » attiks

I'll try to have a look later today

attiks’s picture

Status: Active » Fixed

Added support for AES en Encrypt in latest dev version.

Martin Klinkigt’s picture

Hi,

sorry for my late reply. It is great to see, that this one is addressed. I think even if there will be a change in the encryption modules, it is better practice to encrypt such important data as the secret.

Keep up the good work and best regards,
Martin

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.