UBB.Developers Forums Community Development Programming PHP and Server-side Scripting UBB Private Forum Security Mod-Enhancement

I am not sure if this is the right place to post/ask this/these questions, but I'll ask anyways!

I am "attempting" to create a very secure UBB private forum.

My "goal" is to require a "key disk" be present in the users computer before he/she can gain access to the private forum.

Here's what I want to do.

When the "potential" user clicks on the private forum and gets the log in page (USER NAME, PASSWORD, FORUM PASSWORD), I want a SCRIPT program (JSCRIPT, PERL, ????) to generate a random "seed" (string of numbers and or letters) that is automatically sent to the users computer.

I have a program which will then pass the seed to a program that is resident on one of the drives (floppy/CD).

That program "encrypts" the seed into a PASSWORD which is displayed on the users screen (window).

The user than enters that PASSWORD into the UBB screen where it is compared to the required password (which is computed in parallel i.e. same calculation using same seed as user's program).

If there is a match, the user is granted access to the private forum.

Every time that the user signs into the forum a new "random seed" is generated and passed to the host.

Or a "time out" cookie is generated so that he will have access for a limited period of time before having to sign in again (new seed-password cycle).

What I need advice/assistance/hire some one in modifying UBB to have log in screen generate and pass the seed to the user's computer, calculate password on server (UBB side) from seed, and then compare passwords and grant/deny access. And possibly generate short lived cookie.

Anyone who would like to discuss this project (offer their services) can contact me.

Please forgive me for posting on more than one forum.

well well... You want a really unnecessary thing (I think)

If you want to set a session cookie, then you can add an extra small routine to ubb. Also, you can edit ubb code to crypt the cookie password. You'll get crypted password from the cookie and you can compare it with the one in the user db.

I agree with jeo, unless you admin the FBI board

Sounds like you want a RSA Key for UBB...that is a neat idea. (I wouldn't use it, but it still is neat.) Unfortunately, I don't think you'll have much luck finding anyone here that will be up to coding such correctly.

LK, you need to remember that not everyone that runs a UBB is doing it as a hobby. :rolleyes: Security is a key concern for many companies. I'll bet setpro is asking for this because it's going to be used in a corporate environment.

Thanks for the replies.

Just to put people's "mind at ease" (that I am not some huge, bloated, "impersonal" corporate "evil empire").

I have a small business that uses UBB's private forum to dispense (for a annual fee), information.

Much of this information is proprietary (high valued intellectual property).

Here's what some of the subscribers say about the service I provide:

"Thanks Paul, love your modeling work, I see it... you have gone the extra mile as always."

"Outstanding stuff. It's obvious that you put an tremendous effort into this stuff. You've got controlled fusion and the other guys are still rubbing sticks together. We tried the IW drills out last night and again a bit this morning."

"Worth the price of admission yet again !"

"So much for so little... As I recall you were supposed to be in a certain state of mind to veiw this stuff. I wouldn't know, I never inhaled either...."

The UBB private forum setup offers virtually no protection.

So all I am looking to do is protect both myself and my customers (who have enough faith in me to spend their hard earned money).

And be able to provide better product because I do not fear that others are taking advantage of me and my customers.

I am not a programmer.

Thus my coming here.

But here's what I have figured out.

I can do everything from and to the UBB User Log In page.

"All I need" is the ability of the UBB Log In page to compute the seed and send it (in the form of embedded ActiveX within"?" the HTML page that the UBB Perl script produces).

And to use the same seed to compute the 'matching' encrypted password to compare to the forum password from the user (running the same seed-encryption on his computer).

The user can only create his password using a "key disk" (running an encrypted "encryption" application program which calculates the Forum Password from the UBB supplied seed. Supposedly this "key disk" "cannot" be duplicated. And if so desired can be "locked" to that specific computer.

The seed changes everytime a user requests the private forum log in page (random generator in program/scripts that produces the UBB User Log In page).

Producing a short lived cookie is only so that the user does not have to go through the same log in procedure if he momentary leaves the Private Forum and then returns.

The whole purpose of this exercise is to make sure that only the authorized computer/user is accessing the private forum.

Again, I am no programmer.

But from what I have seen of the the hacks that people produce, I can't imagine that what I am asking is that difficult for someone with an intimate knowledge of UBB's inner workings (maybe I am wrong, that's why I am here to find out ).

I would be very willing to contract (pay) someone for their services to provide a solution to my problem.

Thanks again for your help.

setpro, check your pm.

lok,

"You have mail"