As far as i know:
In the htpasswd file are stored the MD5 encrypted passwords
and NOT the plain text passwords
(plain text password is an option on Windows boxes)
When a client (browser) want to authenticate it submits the MD5 encrypted user input
(what the user type in the Identification box)
this encrypted value is then compared to the one stored in the htpasswd;
if it's a match, that means that the user type the (right) password and the authentication is a success.
This is what I read too in your quote (even if I have to admit that the sentence is a bit odd for my english ('are used' ?)
Note: As far as I remember Apache use a modified MD5 function (Understand MD5 hash produce by standard tools won't match what is stored in the htpasswd file)
"Trying to be a SMART lamer" (thanx to Merlyn ;-)
| [reply] |
Ahhh..I think I see the problem, at least with my communication.
I am not dealing with the htpasswd file. THAT encryption I can get around,
and in fact have written many scripts to deal with it.
My problem resides in the fact that an external server sets a cookie in my Netscape.
Now, I need MY server to grab that cookie, read it all, including a "server signature"
field that has been MD5 encrypted.
They gave me a file called "keyring.pub" which I am supposed to use to
verify that that MD5 encrypted field is actually the real signature
of the master password server (which sets all these cookies).
The end result being that I have verified that the cookie has not been
messed with since the master server set it.
My real problem is that I do not know the unencrypted signature! Or,
possibly it is within this "keyring.public"? This is why I was thrown
when everyone said MD5 didn't use private/public pairing. I know
that I am not able to give all information, but can you make sense of
what I am supposed to do to verify this "signature" using MD5 and a keyring.public (which is binary by the way).
With the exception of this problem, the rest of this access methodology
follows the Book almost exactly!
In case you are wondering why I don't just ask them, this has to be done
on the sly. They want me to do it, desperatly, but my normal fees are
not in their budget. I told them I would do it simply because
so many people here at Ford and Visteon need it. Call me a pushoever, I guess.
Anyhow, they cannot "show their heads" on this. The working code has to just "pop up"
out on the company news server one day.
What does this little button do . .<Click>;
"USER HAS SIGNED OFF FOR THE DAY"
| [reply]
[d/l] |
According to their instruction site, the Signature field of the cookie "The RSA encrypted MD5 digest of the rest of the cookie"
from the keyring extract the public key of the user,
decrypt the encrypted part of the signature,
it should give you a MD5 hash of the rest of the signature.
Compute the MD5 sum and compare it to the decrypted value,
if it's a match it means that the proper user sign the message
(you can decrypt it with his public key)
and that the sig wasn't modified/forged
(the encrypted MD5 hash is the same as the on you compute)
"Trying to be a SMART lamer" (thanx to Merlyn ;-)
| [reply] |
That is actually a good thing. If you are sent the password, you then hash it, and make certain that it is equal to the hash that is saved server side. Or, if you get the hashed value from the cookie, compare that to the serverside value.
I do not know if this will help, but you can check it out:
Digest::MD5 - Perl interface to the MD5 Algorithm
Since you are quoting from Mods in Perl and C, Counterpane is a great crypto site that has MD5 source in C. It is Bruce Schneier's site. He is the author of Applied Cryptography, a brilliant text. In the first couple chapters they talk about protocols and signatures and such. Good reading. | [reply] |