I think you'd want Digest::MD5 instead, which doesn't take a key.

MD5 is a cryptographically secure one-way hash function. That means that given some bits as input, it will output some bits that could only have been generated by that input, and it won't be possible to calculate the input by looking at only the output, at least not given less than a few years to calculate.

The scheme you've proposed is a challenge-response system. It's a fairly standard way of doing this sort of thing, and it's a secure way to do it. The disadvantage is that both sides have to know the plaintext password (as compared to, for example, the server only knowing a hash of the password, like in the /etc/passwd file). It's important to make sure that at least part of the string is truly random, and that it never repeats. You can use Math::TrulyRandom to seed rand, and combine that with the time and PID, to accomplish this: 

use Math::TrulyRandom;
my $seed = truly_random_value();
srand($seed);
my $randbytes = join("",map {int(rand(10))} (0..16));
my $challenge = join(".",time,$$,$randbytes);

[download]

The way to use the scheme you propose would be to send the challenge string, then the client concatenates the string and the password and takes an MD5 hash: 

use Digest::MD5 qw(md5_base64);
$digest = md5_base64($challenge.$password);

[download]
then send this to the server. The server also knows the secret and the password, so it can do the same calculation, and make sure that the hash sent by the client is correct. Since MD5 is a cryptographically secure hash, it's safe to assume that the only way the client could have calculated this hash is by knowing the password, so they're authenticated.

The big disadvantage of this technique is having to store the plaintext password on the server. Because of this, I nearly always use SSL instead of a challenge-response technique.

In reply to Re: Perl & Java -- Can they keep a secret? by sgifford
in thread Perl & Java -- Can they keep a secret? by Flame

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.