Two Laptop Bag
The moose likes Sockets and Internet Protocols and the fly likes client server authentication problem........ Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "client server authentication problem........" Watch "client server authentication problem........" New topic

client server authentication problem........

vinaykumar singh

Joined: Jan 14, 2006
Posts: 13
hello all..

i m making a server client authentication model for this i m using MessageDigest class and its MD5 method.

By the help of this i am generating a random field called "key". And this key sends to the client, with username called "vinay", and ServerName��..

Sent field:-
WWW-Authenticate:: ServerName="WORKGROUP", key="0c977ebb93725e437e7d75f8adc1dc", UserName="vinay", algorithm="MD5";

And client should reply with same key (same value), ServerName and a predefined password (that server provide),that password is encrypted in response field by using MD5 algorithm.

received field:-
Authorization:: response="6486aafa17e2ebe3546d84a4e83c767e", UserName="vinay", ServerName="WORKGROUP", key="0c977ebb93725e437e7d75f8adc1dc", algorithm="MD5"

So in the received Header we have a new RESPONSE field which encrypted with password.

So problem is that ::-
How I can get PASSWORD from response field for authentication. means how can i decrypt that Response field.
Paul Clapham

Joined: Oct 14, 2005
Posts: 19973

You can't decrypt that "response" field to get the password. Normally what you would do would be to encrypt the password you have, and compare that to the response field.
Grant Gainey
Ranch Hand

Joined: Oct 16, 2005
Posts: 65
Well, let's be a little pedantic here - in the sample shown, there is no encrypting going on. MD5 is a digest algorithm, not a cipher. That means it's one-way only.

The idea here is to avoid sending the actual password over the air (which is considered rude in security circles). The digest is exchanged as a means for the "other side" to prove that they know the password, without needing the password itself.

In this specific case - the server, upon receiving the response and knowing what password the user has on the server(ew), generates the matching MD5 on its part and compares to what the user sent. If there is a match, the user must have entered the right password as part of building the response.

Does that help?

In Theory, there is no difference between theory and practice.<br />In Practice, there is no relationship between theory and practice.
I agree. Here's the link:
subject: client server authentication problem........
It's not a secret anymore!