I've been playing with using a java applet to accept a username and password, and then turn that into an md5 sum. Then, that md5 sum is sent to a perl script to check for it's existance in a database on the script-side server.

So far it works well, after having to use a deprecated method for doing button action, and md5 sum generation. However, it does work.

The only thing that anyone can see is the md5 sum, which is passed as a CGI parameter.

I don't see that as being security issue, because there is no way that anyone can take an md5 sum and determine what components were put together to create the sum (none that I know, anyway).

However, someone could intercept that md5 sum, and put their own in it's place, if they also had access to adding users. Right now, there is no way to add users, except locally.

So, should I even worry about hiding the md5 sum? It seems kinda a moot point to me, since I don't know of any way someone could see what the java applet is doing.

Any advice? Security is not an area I am real good at. I just want to try and make sure that the users name and password are protected.

Thanks!

Well, my implementation of jemfinchs idea has already been thwarted.

A friend of mine pointed out that all someone would need is that md5 sum and they could log in with it.

I didn't even think of that.

There's something I missing from jemfinchs idea, because, he wouldn't overlook that. I would. (^=

It seems to me that since the MD5sum will be the same every time, they could just intercept that, and they wouldn't need the username/pass, coz they could just feed the md5sum to the server directly. Ideally (as far as I know, I'm not an expert either... :o) you want the same information, when encrypted, to be different each time, depending on some sort of session key. If it's always the same, then there is no need to crack the encryption, since the encrypted bits are all the data you need.

Here's an idea:

get the client & server to agree approximately on the time, then include the time in the data that are md5sumed. When the server receives the md5sum, it'll extract the appropriate record from the DB (you'd prolly have to send, say, the username unecrypted), md5sum it with the time, and compare the two. The hard part of this, of course, is getting the client & server to agree on the time. Hmmm....

Hey! You beat me to it! :o

Well, still take a look at my suggestion. :)

It would be qool if the server could count on the user always having the same IP. That would help.

The thing that gets me is, if someone is able to intercept the connection to the cgi when simply passing the md5 sum to it, they could just as easily intercept a socket connection, and get whatever info they wanted, from what I understand.

As I told my friend, I think I'm in way over my head.

Originally posted by TheLinuxDuck:
<STRONG>The thing that gets me is, if someone is able to intercept the connection to the cgi when simply passing the md5 sum to it, they could just as easily intercept a socket connection, and get whatever info they wanted, from what I understand.
</STRONG>

The thing is, there is no [known] way to get an md5sum back to the original data, however, when applied to the same data, the same result will be achieved. So if the data being compared at each end are the same, the md5sums will be the same, and there is no way for someone listening in to the connection can determine what is actually being said.

&lt;edit&gt; oops... I think I may have misinterpreted what you said... Actually, this raises some interesting questions for me too, using md5sums.... ooh, here's an idea: you could md5sum every command sent with the user's password and the time stamp, of course this creates the problem of having to test the sent command against every possability when it got to the server side... maybe if you somehow used multiple md5sums and stored the commands in a tree somehow, each sum indicating which branch of the tree to follow... this would somewhat increase the amount of network traffic required tho...

[ 08 August 2001: Message edited by: Bradmont ]

I don't think I fully understand what you're refering to when you say "multiple md5sums and stored the commands in a tree somehow, each sum indicating which branch of the tree to follow"

What commands are you refering to? How would the md5 sums be used with the commands?
What would stop someone from just passing the md5 sums for each command, without ever having to login?

Hmm.. I'm thinking on the time thing... let me play around, and I'll post what I come up with.