• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

client server authentication problem........

 
vinaykumar singh
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hello all..

i m making a server client authentication model for this i m using MessageDigest class and its MD5 method.

By the help of this i am generating a random field called "key". And this key sends to the client, with username called "vinay", and ServerName��..

Sent field:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WWW-Authenticate:: ServerName="WORKGROUP", key="0c977ebb93725e437e7d75f8adc1dc", UserName="vinay", algorithm="MD5";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


And client should reply with same key (same value), ServerName and a predefined password (that server provide),that password is encrypted in response field by using MD5 algorithm.

received field:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Authorization:: response="6486aafa17e2ebe3546d84a4e83c767e", UserName="vinay", ServerName="WORKGROUP", key="0c977ebb93725e437e7d75f8adc1dc", algorithm="MD5"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So in the received Header we have a new RESPONSE field which encrypted with password.

So problem is that ::-
How I can get PASSWORD from response field for authentication. means how can i decrypt that Response field.
 
Paul Clapham
Sheriff
Posts: 20980
31
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't decrypt that "response" field to get the password. Normally what you would do would be to encrypt the password you have, and compare that to the response field.
 
Grant Gainey
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, let's be a little pedantic here - in the sample shown, there is no encrypting going on. MD5 is a digest algorithm, not a cipher. That means it's one-way only.

The idea here is to avoid sending the actual password over the air (which is considered rude in security circles). The digest is exchanged as a means for the "other side" to prove that they know the password, without needing the password itself.

In this specific case - the server, upon receiving the response and knowing what password the user has on the server(ew), generates the matching MD5 on its part and compares to what the user sent. If there is a match, the user must have entered the right password as part of building the response.

Does that help?
Grant
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic