* Actually, the user's plain-text password is not stored on the server side. Instead, the server stores an MD5 hash of the user's password and the hash, not the password itself, are used on the server and browser side to encrypt the challenge.

As far as i know:

In the htpasswd file are stored the MD5 encrypted passwords
and NOT the plain text passwords
(plain text password is an option on Windows boxes)
When a client (browser) want to authenticate it submits the MD5 encrypted user input
(what the user type in the Identification box)
this encrypted value is then compared to the one stored in the htpasswd;
if it's a match, that means that the user type the (right) password and the authentication is a success.

This is what I read too in your quote (even if I have to admit that the sentence is a bit odd for my english ('are used' ?)

Note: As far as I remember Apache use a modified MD5 function (Understand MD5 hash produce by standard tools won't match what is stored in the htpasswd file)

"Trying to be a SMART lamer" (thanx to Merlyn ;-)

Ahhh..I think I see the problem, at least with my communication.

I am not dealing with the htpasswd file. THAT encryption I can get around, and in fact have written many scripts to deal with it.

My problem resides in the fact that an external server sets a cookie in my Netscape. Now, I need MY server to grab that cookie, read it all, including a "server signature" field that has been MD5 encrypted.

They gave me a file called "keyring.pub" which I am supposed to use to verify that that MD5 encrypted field is actually the real signature of the master password server (which sets all these cookies).

The end result being that I have verified that the cookie has not been messed with since the master server set it.

My real problem is that I do not know the unencrypted signature! Or, possibly it is within this "keyring.public"? This is why I was thrown when everyone said MD5 didn't use private/public pairing. I know that I am not able to give all information, but can you make sense of what I am supposed to do to verify this "signature" using MD5 and a keyring.public (which is binary by the way).

With the exception of this problem, the rest of this access methodology follows the Book almost exactly!

In case you are wondering why I don't just ask them, this has to be done on the sly. They want me to do it, desperatly, but my normal fees are not in their budget. I told them I would do it simply because so many people here at Ford and Visteon need it. Call me a pushoever, I guess. Anyhow, they cannot "show their heads" on this. The working code has to just "pop up" out on the company news server one day.

What does this little button do . .<Click>; "USER HAS SIGNED OFF FOR THE DAY"

That is actually a good thing. If you are sent the password, you then hash it, and make certain that it is equal to the hash that is saved server side. Or, if you get the hashed value from the cookie, compare that to the serverside value. I do not know if this will help, but you can check it out: Digest::MD5 - Perl interface to the MD5 Algorithm Since you are quoting from Mods in Perl and C, Counterpane is a great crypto site that has MD5 source in C. It is Bruce Schneier's site. He is the author of Applied Cryptography, a brilliant text. In the first couple chapters they talk about protocols and signatures and such. Good reading.