File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Sockets and Internet Protocols and the fly likes client server authentication problem........ Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "client server authentication problem........" Watch "client server authentication problem........" New topic
Author

client server authentication problem........

vinaykumar singh
Greenhorn

Joined: Jan 14, 2006
Posts: 13
hello all..

i m making a server client authentication model for this i m using MessageDigest class and its MD5 method.

By the help of this i am generating a random field called "key". And this key sends to the client, with username called "vinay", and ServerName��..

Sent field:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WWW-Authenticate:: ServerName="WORKGROUP", key="0c977ebb93725e437e7d75f8adc1dc", UserName="vinay", algorithm="MD5";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


And client should reply with same key (same value), ServerName and a predefined password (that server provide),that password is encrypted in response field by using MD5 algorithm.

received field:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Authorization:: response="6486aafa17e2ebe3546d84a4e83c767e", UserName="vinay", ServerName="WORKGROUP", key="0c977ebb93725e437e7d75f8adc1dc", algorithm="MD5"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So in the received Header we have a new RESPONSE field which encrypted with password.

So problem is that ::-
How I can get PASSWORD from response field for authentication. means how can i decrypt that Response field.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18987
    
    8

You can't decrypt that "response" field to get the password. Normally what you would do would be to encrypt the password you have, and compare that to the response field.
Grant Gainey
Ranch Hand

Joined: Oct 16, 2005
Posts: 65
Well, let's be a little pedantic here - in the sample shown, there is no encrypting going on. MD5 is a digest algorithm, not a cipher. That means it's one-way only.

The idea here is to avoid sending the actual password over the air (which is considered rude in security circles). The digest is exchanged as a means for the "other side" to prove that they know the password, without needing the password itself.

In this specific case - the server, upon receiving the response and knowing what password the user has on the server(ew), generates the matching MD5 on its part and compares to what the user sent. If there is a match, the user must have entered the right password as part of building the response.

Does that help?
Grant


In Theory, there is no difference between theory and practice.<br />In Practice, there is no relationship between theory and practice.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: client server authentication problem........