Question

I'm looking for an existing HTTP protocol for securing authentication but not the payload that follows. I want the server to store the username, hashed password and different salt per user.

HTTP Digest Authentication fails these requirements because all accounts use the same salt. SSL fails because it encrypts the entire connection.

Edited to add:

This is for a desktop client talking to a web service (no browser involved)

Was it helpful?

Solution

Why not just have your authentication mechanism protected by SSL and then forward to the rest of your application which runs under normal HTTP?

OTHER TIPS

The popular scheme is to have login form protected by SSL, while rest of the site doesn't use SSL. See for example popular social networking sites.

How about OpenID? Is there a reason that you have to store authentication information?

Edited to add

Sorry didn't catch that it was a desktop app. How about OAuth?

Is there a way that you could structure the original request URL to indicate the user? Then, the server could respond with a different different realm (acting as "salt") for every user in the HTTP digest authentication response. For example, request URLs of the form http://user.y.com/service or http://www.y.com/user/service would result in a challenge response like:

WWW-Authenticate: Digest realm="user@y.com", nonce="oqa9hvq49krprkphtqc"

Can you explain what's driving the "no encryption" mandate? If you are subject to man-in-the-middle attacks, you need to protect the integrity of the entire request. There, SSL would be very helpful. If you absolutely cannot have encryption, would SSL using an unencrypted cipher suite be acceptable?

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top