Date: 03/27/06 (Algorithms)    Keywords: software, database, asp, security, web

Hello

I am a software engineer in MA for a small internet company. Currently I am working on a webservices API our product and have been struggling with the authentication model. I read around and found an article that talked about WSSE authentication This seems relatively easy to implement and I kind of have a mock demo set up, but there is a problem with my demo, that I am not sure how to fix, as I am not a cryptologist and though I use crypt() and know how to compare a plain text password to a crypt encrypted password, more advance topics are beyond me. So this is my problem I will refer to the ideas in the article so I recommend you giving it a quick read.

In the artcle it discusses creating a "password digest" using a "Created Date" a "nonce" and the "password string". as a Base64 encoded sha1 string(i'll probably ise md5). the sha1 string is "nonce"+"created date"+"password string". They then pass the nonce and create date in the header and assume that you have the password on the other end and can piece it back together creating another sha1 string to compare it too and verify authentication.

I have a test ap, and here is the problem problem I am running into. Say I have my api, and I have a company writing an app to use it. I tell them to use the above method and to use crypt to create their password string from their user inputed password. I get their data parse the headers and have the 3 aspects. I decode the base64 string to the sha1 string, but when I compare them it fails. The problem being that they are not encrypted with the same salt when crypt was used. Therefore the encrypted password they put in their string is different than the encrypted version in my database. This can be fixed if they know my salt, but that's a security risk. So I am not sure how to get around this problem.

Suggestions?

Source: http://community.livejournal.com/algorithms/74647.html