I have a java applet communicating with a server.
I need to send a password, not in clear.
On the server side thre's a unix system, so I tought
to use the crypt command, but in the applet what
can I use? is there a crypt compatible class?
From the Solaris manpage crypt(1): "Methods of attack on such machines are widely known, thus
crypt provides minimal security."
If you mean the C function crypt(3) instead, I'm not aware of an exact-duplicate
implementation under Java, although someone who wanted to do so could port
the BSD C code to Java. It could be used for what you want to do do only
if the password were stored in the clear on the server.
Or how can I do to send a password,
without setting up a crypted ssl connection?
1. javax.crypto.SealedObject of the password, using a public-key cipher.
2. javax.crypto.SealedObject of a known, unique object, such as a
challenge-token issued by the server, using a private-key cipher and the
password as the key.
3. MD5 or SHA-1 hash of the concatenation of a known, unique object issued
by the server and the password.
In cases (2) and (3), the server needs to store the password in
plaintext somewhere. In case (1), it only needs to store the hash of the
password. The requirements to use a "known,unique object" are to prevent
replay attacks. The Java Crypto stuff can be extended to support new
algorithms; here are a couple ways to get started:
MessageDigest digester = java.security.MessageDigest.getInstance("MD5");
digester.update(challenge.toString().getBytes());
digester.update(password);
cpass = digester.digest();
Cipher csym = Cipher.getInstance("DESede");
cpub.init(Cipher.ENCRYPT_MODE,password);
cpass = cpub.doFinal(challenge);
Cipher cpub = Cipher.getInstance("RSA");
cpub.init(Cipher.ENCRYPT_MODE,server_public_key);
cpass = cpub.doFinal(password);
