Re: Offtopic: MD5 based login

Mon, 10 Sep 2001 00:37:54 -0700 

My suggestion is to use SSL and in this case :
- You can HTTP POST a plain username and password using an HTML form
- You can store in your database MD5  (or SHA if you wish) hashed  passwords
(digests)
- On the servlet's side .doPost() you can regenerate the hash for 
  the submitted password and compare it against the one stored in the DB
in order to check the validity of passwords.
- You can use classes form java.security.* and sun.misc.* to generate
digests and store then in base64 format
 NOTE sun.misc.* will be deprecated according to SUN and JDKs newer tha 1.2
probably include other classes 

> -----Original Message-----
> From: Clayton Nash [SMTP:[EMAIL PROTECTED]]
> Sent: &Dgr;&egr;&ugr;&tgr;&eacgr;&rgr;&agr;, 10 &Sgr;&egr;&pgr;&tgr;&egr;&mgr;&bgr;&rgr;&iacgr;&ogr;&ugr; 2001 10:28 &pgr;&mgr;
> To:   [EMAIL PROTECTED]
> Subject:      Re: Offtopic: MD5 based login
> 
> Try this. Store the passwords as MD5 hashes. Send a random string to the
> user for the login page. The user enters the password. This is MD5
> encoded.
> Then append the random string and MD5 encode that. On the server side you
> can append the random string to the MD5 password you have, md5 them and
> compare the result. I'm not a cryptographer and doing something like this
> probably has all kinds of tiny problems but I guess if you're really
> concerned you'd just use SSL for the login.
> 
> Clayton
> ----- Original Message -----
> From: "Hardeep Singh" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, September 10, 2001 7:49 AM
> Subject: Offtopic: MD5 based login
> 
> 
> > Hi,
> >
> > I want to create a login page which uses MD5 to encrypt password over
> the
> > network. I can think of two approaches:
> >
> > 1. The password is stored un-encrypted in the database. When the user
> > requests the login page, a random string is generated and sent along.
> The
> > client takes the password, appends the random string to it, encrypts the
> > password and sends. The server has both the random string and the
> password.
> > It encrypts the password(from the database)+random_string and matches
> > against that sent by the client. This approach has a problem: Since the
> > password has to be stored in the database unencrypted, it must be sent
> over
> > the network un-encrypted once.
> >
> > 2. The password is encrypted: The client takes the password, encrypts
> and
> > sends. The server matches the encrypted passwords. Again, problem: The
> > client is a browser and the MD5 encryption is done through Java Script.
> The
> > hacker gets the encrypted password once, through network logs. He
> disables
> > Java Script (or writes a new form without Java Script) and sends the
> > encrypted password directly to the server.
> >
> > What is the standard approach to using MD5? How do I solve the above
> > problems (I prefer approach 2 because it stores the password encrypted
> in
> > the database)?
> >
> > Hardeep Singh
> > http://SeeingWithC.cjb.net
> >
> >
> ==========================================================================
> =
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> >  http://java.sun.com/products/jsp/faq.html
> >  http://www.esperanto.org.nz/jsp/jspfaq.html
> >  http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
> >  http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
> >
> 
> ==========================================================================
> =
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
> 
>  http://java.sun.com/products/jsp/faq.html
>  http://www.esperanto.org.nz/jsp/jspfaq.html
>  http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>  http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets

==========================================================================To 
unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets

Reply via email to