It's actually possible to implement CRAM-MD5 authentication in Javascript,
although trying to do true 32-bit unsigned arithemetic in cross-browser
JS is a real pain. I implemented this for a project a couple of years
ago, and it works pretty well.
The server sends (along with the JS/HTML) a challenge, consisting of
a random string, a timestamp, and the server's fully qualified hostname.
The client computes:
digest = MD5(password,MD5(password,challenge))
and returns <username,digest> to the server. This authentication mechanism
avoids sending the password in cleartext and is not vulnerable to replay
attacks. It's not as good as SSL, but it's better than HTTP Basic Authentication,
and is appropriate for situations where SSL is not available or not suitable.
CRAM-MD5 has been superceded by Digest-MD5:
http://www.ietf.org/internet-drafts/draft-leach-digest-sasl-05.txt
So if I were to do this again today, I'd probably use Digest-MD5.
It's also reasonable to do this authentication using an applet instead
of Javascript. MD5 in Javascript is unspeakably ugly....
Stan Bailes
Quadcap Software
http://www.quadcap.com
Charles Forsythe writes:
> > You'd better not encrypt passwords on the client side - and there is no
> > need to do so.
> >
> > So no Javascript, God forbid.
>
> Actually, there is a reason to do this. The web page can contain a hash
> function in Javascript (such as MD5) and a random "seed" string. Instead of the
> password, the client returns MD5(seed + password). This hash is, essentially, a
> one-time password and can be sent somewhat safely in the clear. It is subject
> to dictionary attacks, however.
>
> This method is the basis of "Digest" authentication. Digest authentication is
> not supported by all of the popular browsers, and hence it is not really
> available to use.
>
> As Meghadri Ghosh pointed out, SSL is the best solution for transmitting
> usernames and passwords. The only caveat is that strong SSL is not available to
> everybody and hash functions are fully "exportable".
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
