Logon by challenge with AJAX (demonstrative)

WARNING: This version worked correctly to the test server, but unfortunately is not working here. So I'm debugging!

The logon by challenge with AJAX is the solution to log without sending the password, which is very insecure in common connections. In this version, also protects a bit more the database: instead leaving the password for the main database in the PHP code, there is an auxiliary database that has only hashes and encrypted information, including the password for main database, which can only be decrypted with the correct user logon. How it works:

1. Browser collects user (email) and password and sends the hash of the user (to avoid the collection of email to SPAM lists).
2. Server looks up the user in the database (if not found, create a fake user).
3. From the user's password hash (previously stored in the database), the server creates a strong key and encrypts a secret information (random - changes every session); server sends to client this information and an encrypted dynamic key that only the client can decrypt.
4. Browser already has the user's password, then you can get the same hash, the same key and decrypt the secret information and the dynamic key.
5. Then browser creates new keys (different from above), re-encrypts the secret information and dynamic key (in two ways: the first, server can decrypt; another, the server can not decrypt) and sends all to the server.
6. The server recreates an of the new keys (the only one that can recreate), decrypts the information and compares it with that it generated: if they are equal, user won the challenge and logged, otherwise out.
7. With user logged in, the server decrypts the dynamic key and uses it to decrypt the credentials of main database, re-encrypts these credentials with random information and stores these encrypted credentials and encrypted key on client side.

Contents of the database

Database fields:

• [Apelido]: nickname only (should be the main database)
• [Email]: user's mail address (should be the main database)
• [EmailHash]: user's mail address in SHA256
• [SenhaHash]: half of the password in SHA512 (the only thing the server knows of user's password)
• [AesChaveComSenha2]: a dynamic key encrypted with AES256 with a key that the server does not know
• [AesMestreComChave]: the password for the main database encrypted with AES256 with the above dynamic key

Array
(
    [0] => Array
        (
            [Apelido] => Teste1
            [Email] => teste1@binho.rb
            [EmailHash] => fab55129f22ede9180129e80074115a3428009a2984f5f49f3dcfab54124a910
            [SenhaHash] => 996e09a8e4637dd6f27eeaee43420f95b773e1708d491a48b02363f569c35c74
            [AesChaveComSenha2] => iHUJ3EWjq+sGmeEvrzlFrQ3gd/zti0wsT2C5bg45WBnh7KbqyEpKlXzMYpu2iMBeJdZfn+4GG/ADzAZ4+O7bb9/tSnw31chwWQALFM+NQ9c=
            [AesMestreComChave] => Px/z/aFgcl72OzgGlYL1hg==
        )

    [1] => Array
        (
            [Apelido] => Teste2
            [Email] => teste2@binho.rb
            [EmailHash] => a5ecdcfb2f07b42c4fd6de69441c53ea5b28d0b13c4739a92683063701145a4f
            [SenhaHash] => 3ead2c60fcd7a33e0a69fae4bd9767fd8bd5e7e8db04b44ea8b67584d1236b13
            [AesChaveComSenha2] => AWVs9Wo0Dzeyst2+nH74QLRFIHsx2U3xAy577ktUFs38OMu43xnkllVL9du3HpFb3pynWQp2T4HYtZfzkTs2nfGSq0EMaBUIYmYUlmivJnk=
            [AesMestreComChave] => B16Z6tQgc1o1qfZAwjWrtg==
        )

    [2] => Array
        (
            [Apelido] => Teste3
            [Email] => teste3@binho.rb
            [EmailHash] => 28248b7310bbc148db3b63fc95065a5e20a7296bea0898df8ca07409f53f1843
            [SenhaHash] => a8cbb178d7dae05b7372436f84710a5d8a2fff0f59ef781bb36e624a242a035c
            [AesChaveComSenha2] => SNX6zsxUllDLfizLd7FxQPdXgKDYFubA+w+oh9OpN6cIpeHEjz9/HuVjiV5DPgGmzGQ2wZvkomWdI4xHl60mf9Ue+qlS7QfWrD5C9t8npQk=
            [AesMestreComChave] => 5/XF5tid0QvCZKQy+XRY6w==
        )

)