| Introduction |
I originally wrote the MD5 implementation to improve security on a login form for a website I was making, running on a web space account with no SSL capability. You can use a secure hash function to avoid sending the password as clear text; this makes it more secure than .htaccess access control. First the web server sends a random variable to the client. The client asks the user for the password, and makes the MD5 hash of the random variable and password, and sends this to the server. The server makes the MD5 hash of the random variable and its stored password. If the two hashes match, then the user knew the correct password, and the server allows access. At no point was the password transmitted in the clear. An eavesdropped won't be able to do a replay attack as the server will then expect a different random variable.
| Demonstration |
I've written a simple Perl example but this is far from ideal. My ideas for version 2 are below - contributions welcome!
| Login system back-ends |
- Perl by Alan Raetz - the best one I've seen.
- ASP by Jamie Jaworski
- ColdFusion by Alex Artigues
- PHP by Jakub Vrana
- PHP by Thomas Lussnig - uses JavaScript RSA to initially set password
| Gotchas |
- You must take a single hash of the random number and password combined. If you use two separate hashes the protocol is not secure.
- The password field that you save the hash into must be long enough - this is 40 characters for a hex SHA-1.
| Dream login system |
- Supports traditional CHAP and my no-initial-password idea
- Supports initial password using PGP, JS-RSA, or the symmetric safe encrption: A sends Ea(M), B sends Eb(Ea(M)), A sends Da(Eb(Ea(M))) = Eb(M)
- Change password with Rijndael using old password as key
- Supports chap for each page and IP-based auth, once logged in
- Uses entropy generator to suggest long password, saved in secure cookie on client, optionally protected by a password.
- Written in Python, based on a MySQL database
- Integrate with web page encryption
| Idea for Initial Password Exchange |
Initilly send: md5(hmac_md5(password, random))
To login send: hmac_md5(password, random), md5(hmac_md5(password, random2))
I'd be very interested in comments on the security of this scheme.
 |
© 1998 - 2003 Paul Johnston, distributed under the BSD License Updated: 27 Jul 2003