MD5 is a hash function (Message Digest 5 is used as a one-way crypto function)
You usually use it this way:
1)you store the hashed/encrypted password/signature.
2)then when someone want to authenticate he types a pass/sig, you encrypt it with MD5 and check the value produced to the one stored : if it's a match it's the right passwd.
MD5 has nothing to deal with public crypto (see rather RSA, Diffie-Hellman, ElGamal...)
So I guess to properly check those people signature, you should rather decrypt the sig (encrypted with their private key) with their public key to ensure it decrypt into something meaningful...
"Trying to be a SMART lamer" (thanx to Merlyn ;-)
| [reply] |
Update: I've been reviewing "Writing Apache Modules in Perl and C" and
I came across this note:
* Actually, the user's plain-text password
is not stored on the server side. Instead, the server stores an MD5 hash
of the user's password and the hash, not the password itself, are
used on the server and browser side to encrypt the challenge.
This is getting more confusing by the minute.
What does this little button do . .<Click>;
"USER HAS SIGNED OFF FOR THE DAY"
| [reply]
[d/l] |
As far as i know:
In the htpasswd file are stored the MD5 encrypted passwords
and NOT the plain text passwords
(plain text password is an option on Windows boxes)
When a client (browser) want to authenticate it submits the MD5 encrypted user input
(what the user type in the Identification box)
this encrypted value is then compared to the one stored in the htpasswd;
if it's a match, that means that the user type the (right) password and the authentication is a success.
This is what I read too in your quote (even if I have to admit that the sentence is a bit odd for my english ('are used' ?)
Note: As far as I remember Apache use a modified MD5 function (Understand MD5 hash produce by standard tools won't match what is stored in the htpasswd file)
"Trying to be a SMART lamer" (thanx to Merlyn ;-)
| [reply] |
That is actually a good thing. If you are sent the password, you then hash it, and make certain that it is equal to the hash that is saved server side. Or, if you get the hashed value from the cookie, compare that to the serverside value.
I do not know if this will help, but you can check it out:
Digest::MD5 - Perl interface to the MD5 Algorithm
Since you are quoting from Mods in Perl and C, Counterpane is a great crypto site that has MD5 source in C. It is Bruce Schneier's site. He is the author of Applied Cryptography, a brilliant text. In the first couple chapters they talk about protocols and signatures and such. Good reading.
| [reply] |
There are some informative nodes and links concerning MD5 in Using MD5 and the theory behind it</horn owner="arturo" action="toot">
Philosophy can be made out of anything. Or less -- Jerry A. Fodor
| [reply] |