Re: Re: Re: MD5 Signature checking

As far as i know:

In the htpasswd file are stored the MD5 encrypted passwords
and NOT the plain text passwords
(plain text password is an option on Windows boxes)
When a client (browser) want to authenticate it submits the MD5 encrypted user input
(what the user type in the Identification box)
this encrypted value is then compared to the one stored in the htpasswd;
if it's a match, that means that the user type the (right) password and the authentication is a success.

This is what I read too in your quote (even if I have to admit that the sentence is a bit odd for my english ('are used' ?)

Note: As far as I remember Apache use a modified MD5 function (Understand MD5 hash produce by standard tools won't match what is stored in the htpasswd file)

"Trying to be a SMART lamer" (thanx to Merlyn ;-)

Comment on Re: Re: Re: MD5 Signature checking

Replies are listed 'Best First'.
Re: Re: Re: Re: MD5 Signature checking by tame1 (Pilgrim) on Mar 14, 2001 at 07:00 UTC
Ahhh..I think I see the problem, at least with my communication. I am not dealing with the htpasswd file. THAT encryption I can get around, and in fact have written many scripts to deal with it. My problem resides in the fact that an external server sets a cookie in my Netscape. Now, I need MY server to grab that cookie, read it all, including a "server signature" field that has been MD5 encrypted. They gave me a file called "keyring.pub" which I am supposed to use to verify that that MD5 encrypted field is actually the real signature of the master password server (which sets all these cookies). The end result being that I have verified that the cookie has not been messed with since the master server set it. My real problem is that I do not know the unencrypted signature! Or, possibly it is within this "keyring.public"? This is why I was thrown when everyone said MD5 didn't use private/public pairing. I know that I am not able to give all information, but can you make sense of what I am supposed to do to verify this "signature" using MD5 and a keyring.public (which is binary by the way). With the exception of this problem, the rest of this access methodology follows the Book almost exactly! In case you are wondering why I don't just ask them, this has to be done on the sly. They want me to do it, desperatly, but my normal fees are not in their budget. I told them I would do it simply because so many people here at Ford and Visteon need it. Call me a pushoever, I guess. Anyhow, they cannot "show their heads" on this. The working code has to just "pop up" out on the company news server one day. What does this little button do . .`<Click>`; "USER HAS SIGNED OFF FOR THE DAY"	[reply] [d/l]
Re: Re: Re: Re: Re: MD5 Signature checking by arhuman (Vicar) on Mar 14, 2001 at 20:28 UTC
According to their instruction site, the Signature field of the cookie "The RSA encrypted MD5 digest of the rest of the cookie" from the keyring extract the public key of the user, decrypt the encrypted part of the signature, it should give you a MD5 hash of the rest of the signature. Compute the MD5 sum and compare it to the decrypted value, if it's a match it means that the proper user sign the message (you can decrypt it with his public key) and that the sig wasn't modified/forged (the encrypted MD5 hash is the same as the on you compute) "Trying to be a SMART lamer" (thanx to Merlyn ;-)	[reply]