WSSE authentication paradox

Question

I'm currently making some research on the WSSE protocol to secure my api.

I've understood the basis and it is clear in my head.

However I face to a problem.

Let's say I want to generate a ONE-time Digest, I've to concatenate the timestamp, the nonce and the secret password.

However, on the server side, I don't have the clear password stored in database, so I'm unable to check for the digest.

Switching to clear password is not an option.

I can't either provide to the client-side the algorithm used to hash password, because they use salt, and the salt is not available to the client.

The only solution I can think about is to don't hash the Digest, just concatenate the data and base64 them.

That way I'll be able to encode the user password to check for its validity.

As password is transmited in plain text it may not be secure, but what if I force HTTPS to authenticate?

Will it be safe?

Answer 1

As password is transmited in plain text it may not be secure, but what if I force HTTPS to authenticate?

Will it be safe?

Yes, and within normal limits, it is the only way to get it secured.

Just send the full password, but send it over a well secured TLS connection. You can use a secure key derivation function such as brypt or PBKDF2 and input the stored random salt (one per user) and password to retrieve the "hash", which can then be checked to the one stored in the database.

Note that you don't need to send a time stamp from the client. It is of course a good idea to log & limit the number of authentication attempts though. You cannot use a time stamp as input to a hash, the outcome would be different each time the time stamp changes.