Re: [jetty-users] MD5 password obfuscation not cooperating

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] MD5 password obfuscation not cooperating

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Thu, 7 Dec 2017 19:30:57 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Steven,

I think the problem is with the Digest algorithm plus the concept of MD5 hash. Digest avoids sending the password over the wire by using it to encrypt a nonce, then the server does the same calculation to see if the same result can be achieved. This means that the server needs to have the raw password with which the algorithm can be run.

This is unlike BASIC auth, which sends the password over the wire all the time, but then the server can get by with only a MD5 hash of the password as it just hashes the received password and checks if it gets the same MD5 result.

So you are beginning to see why these auth methods suck!

However, all is not lost. It turns out that the first step of the digest algorithm is to get an MD5 hash of user:realm:password, So if you hash that combination rather than just the password, then it should work!

We really should document that !! Chris???

cheers

On 7 December 2017 at 16:54, Steven Hirsch <snhirsch@xxxxxxxxx> wrote:

I know HTTP 'Digest' is not recommended for production, but the use case is an internal web service that doesn't rise to requiring certificates, SSL, etc.

Actual deployment is on Tomcat 7, where everything went very smoothly. However, the test framework relies on Jetty 9 under 'gretty' as part of the build process and that's where I ran into problems.

If I setup the realm.properties file to hold the password in plain-text, it works fine, but an MD5 hash does not. I tried generating the hash using both md5sum at the command line and the Apache Tomcat 'digest.sh' tool. Both generate identical results. I placed the hash in the properties file with an 'MD5:' prefix per documentation but it simply does not authenticate.

Since plain-text works, I have to assume the problem is either a Jetty bug or misunderstanding on my part. Would appreciate some input on this problem - thanks!

--
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Follow-Ups:
- Re: [jetty-users] MD5 password obfuscation not cooperating
  - From: Steven Hirsch

References:
- [jetty-users] MD5 password obfuscation not cooperating
  - From: Steven Hirsch

Prev by Date: [jetty-users] MD5 password obfuscation not cooperating
Next by Date: Re: [jetty-users] MD5 password obfuscation not cooperating
Previous by thread: [jetty-users] MD5 password obfuscation not cooperating
Next by thread: Re: [jetty-users] MD5 password obfuscation not cooperating
Index(es):
- Date
- Thread

Breadcrumbs