Don't be sorry, I don't mind a bit. You've helped clarify my murky
understanding of MD5 and related matters.
BTW:
"Sometimes the light's all shinin' on me,
Other times I can barely see."
and
"Once in a while you can get shown the light,
in the strangest of places if you look at it right!"
Scott Stirling
Allaire Corporation
JRun: http://www.allaire.com/developer/jrunreferencedesk/
Allaire Knowledge Base:
http://www1.allaire.com/Support/KnowledgeBase/SearchForm.cfm
> I'm sorry, you must think I'm quite a curmudgeon now
> but this isn't
> right either. Consider this: How would you know on the other side what
> the appropriate username was? The user on the other side
> just tossed it
> down the MD5 rathole. ;-) I visualize this giant bit grinder grinding
> your user into a fine particulate matter. ;-) More importantly, if you
> think about it, all you have done is change the 'secret'
> thing you check
> on the other side to MD5(<password>) instead of <password>, that's
> really no different from checking <password> itself. All you have done
> is made the real password, that is the thing you send to the
> other side
> to demonstrate your authenticity, MD5(<password>). That is
> sent in the
> clear. Anyone could just use that exact same bit pattern and
> get you to
> believe he was the claimant.
>
> In order to do this securely you must encrypt with a key known only
> between you and the server and you must encrypt the
> following: username,
> password, and some non-repeatable foo called a nonce. This
> is so that
> an attacker can't just replay the eavesdropped encrypted login
> transmission to get you to let them in. If you look at the
> spec for SSL
> you will see that there is quite a bit of protocol dance that happens
> before you send your password and credit card number to Amazon.com.
> Https is just http over a secure tcp/ip connection provided
> by SSL. SSL
> essentially allows you, the customer, to send a random key for a
> symmetric encryption algorithm (RC4 usually) securely to Amazon by
> encoding it with Amazon's public key. In this way only Amazon can
> decrypt it. You know it is Amazon's public key because they send you a
> X.509 certificate signed by one of the signers (e.g. Verisign) whose
> certificates come with Netscape (or MS Explorer if you prefer
> to finance
> Bill's Pleasure Palace in Seattle.) ;-)
>
> > BTW, I thought that, even if inefficient, the compiling of
> the applet on the
> > fly with a built in, unique key was a neat idea.
> What's to stop an attacker from eavesdropping on your
> applet as it is
> passed along to the browser? Anyone who runs that applet is you or at
> least will appear to be you.
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
