From: Malka Cymbalista <[EMAIL PROTECTED]>
> Thanks very much for the reply.
> Here's my scenario: I have an Oracle database that allows
> access by the user entering a password. So what I want to do is create a
> form where the user enters his password, the password is sent to the
> server and the server verifies that the password is correct. Is there any
> way to ensure that the password gets encrypted before it get sent to the
> server?
Mumble sorry if I didn't answer before and sorry if if someone have
yet written what I'm going to write...
I'm not an encryption wizard, but I know out there there are good
encryption/password protection methods so I don't want to explain
what are the problems related to transmission of password
encrypted password (I'm not the most qualified person to talk
about encryption, blind methods etc...)
But, and here come my suggestion, if you dont want to invest in
SSL, you could use Java or JavaScript to encrypt the password.
Since JavaScript exposes completely the encryption part, and if
you've got the encryption part it could be much more easy to
decript the password, a better choice could be Java.
Also Java exposes its "source code" since there are Java
disassembler but a further step to understand the encryption
method is needed.
If you want to do something much more hard to be deciphered
(sp?)
1) you could send from the server a key
2) A Java applets/JavaScript script elaborate on the client side,
with a certain algorithm a respose calculated from the server key
and the user password
3) The server check if the combination key sended, response
received is a valid combination.
The first and simplest way that came to my mind is automatically
generate an HTML + JavaScript + Form page with inside a
JavaScript variable initialized to a random value.
When you send the Form compiled with the password the
JavaScript compute the response using the random generated
variable and the password inserted in the field and send it to your
server.
If you use Java youll have 2 advantages
1) With Java you have much more control on HTTP so your Java
applets could ask to the server the key and the key would not be
inserted in the HTML page
2) Understanding how you encrypt the PW would be harder.
This is a really ingenuous method (not because it's not enough
secure, but because it was the first thing that I thought and
because I'm not an expert). I'm sure, out there, there are plently of
standard/commercial solution. This is just what I'll do if I need it.
If you won't find anyting better (I really doubt you won't find
something better) and If I'll find the time I can write down an
ASP/JavaScript example (I need some exercise this could be a
good excuses).
Someone could easily translate the ASP part into Perl or any other
script...
I could use also C++ (ANSII so no problem with plattaform type
Linux or Wintel) but since I don't want to spend my time debugging
and C++ could be dangerous for your machine stability...etc...
If you are working on an intranet or you're absolutely sure your user
have IE and your server is an NT machine you can use NT
Challenge/Response method. I really hate that system (it isn't
standard) but it could be an answer to your problem.
--------------------------------------------------
Ivan Sergio Borgonovo [EMAIL PROTECTED]
Webmaster Gorilla Bookstore http://www.gorilla.it
Tel. +39 2 3311105/34530455 Fax. +39 2 34531591
Via Mac Mahon 9, Milano, Italy
--------------------------------------------------
____________________________________________________________________
--------------------------------------------------------------------
Join The Web Consultants Association : Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------
