0

How can I use md5 hashing in the client side to secure the password transmission from the client side (JSP) to a Servlet in the server? The following post seems to answer the question but I can not understand it fully as the code blocks are incomplete. http://www.techlabs4u.com/2010/03/how-to-use-salted-md5-hash-for-securing.html

ruwanego
  • 427
  • 2
  • 7
  • 18
  • 1
    Why not use https? Also, to be pedantic, JSP isn't the client side (they're Java *Server* Pages, after all :) – Dave Newton Dec 03 '12 at 11:02
  • See this thread to see how to generate the md5 in js: http://stackoverflow.com/questions/1962299/how-to-use-md5-in-javascript-to-transmit-a-password –  Dec 03 '12 at 11:07
  • @Vash - no, use encryption instead of hashing – Qwerky Dec 03 '12 at 11:10

4 Answers4

3

How can I use md5 hashing in the client side to secure the password transmission from the client side (JSP) to a Servlet in the server?

You can't.

Password hashing is used to avoid storing original passwords so that they are protected in the event of a database compromise. (And MD5 is broken, so you shouldn't use it for that anyway).

To secure the password in transmission, use SSL (via HTTPS).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • He can hash the password and send the hash. Does he ? – Damian Leszczyński - Vash Dec 03 '12 at 11:05
  • 2
    @Vash — The password is the data you send to the server to prove you are who you say you are. If you send a hash of a string, then the password is the hash and not the string. This provides some (not much) protection against some forms of hack, but using encryption (SSL) and hashing the password on the server protects against those *and others* so it isn't worth the effort. – Quentin Dec 03 '12 at 11:07
  • @Vash Then, an attacker would not need to know the password, only the hash, because he only needs to send that. – Pablo Dec 03 '12 at 11:08
  • @Vash he can hash the password, *but it won't do anything for security*. – Qwerky Dec 03 '12 at 11:10
  • @Quentin, And now the answer is complete, why we should not use hash for authentication. Thanks Quentin. – Damian Leszczyński - Vash Dec 03 '12 at 11:15
0

Hashing and salting a password and then sending the hash in cleartext provides no additional security at all over just sending the password in cleartext. If an attacker is able to intercept the clear text password and log in with it, then they can just as easily intercept the hashed password and log in with that.

It doesn't matter how good the client side code is, or how strong the hash algorithm is - the principle is fundamentally flawed.

As suggested already, use SSL. Instead of sending in cleartext, this will encrypt all transmission between the client and server preventing evesdropping.

Qwerky
  • 18,217
  • 6
  • 44
  • 80
  • In the link, the hash is random, provided by the server and stored in the session. It should avoid loging-in by intercepting the hash and replaying it. **But** to be able to test if the hashed password is correct, you have to store it as plain text in the database, here is the true problem (see how many password have been leaked recently : LinkedIn, Yahoo, GMail, Gamigo,...). – Florent Bayle Dec 03 '12 at 11:27
0

If you are looking for complete code for MD5 encryption in Java and JSP, here it is. First create a Java class which can encrypt the text. I created mdjavahash.java as shown below.

package mdhash;

import java.security.*;

public class mdjavahash {
    private String hashpass="";

    public String getHashPass(String password) throws 
        NoSuchAlgorithmException{

        String plainText = password;
        MessageDigest mdAlgorithm = MessageDigest.getInstance("MD5");
        mdAlgorithm.update(plainText.getBytes());

        byte[] digest = mdAlgorithm.digest();
        StringBuffer hexString = new StringBuffer();

        for (int i = 0; i < digest.length; i++) {
            plainText = Integer.toHexString(0xFF & digest[i]);

            if (plainText.length() < 2) {
                plainText = "0" + plainText;
            }

            hexString.append(plainText);
        }
        hashpass = hexString.toString();

        return hashpass;
    }
}

Now you can use mdjavahash class in jsp file to encrypt. For example:

<%@ page import="java.security.*, mdhash.*" %>
<%
  String mypassword = "";

  mdjavahash md = new mdjavahash();

  mypassword = "Hello World";
  out.println("Actual String is : "+mypassword+" <br/>MD5 String is : 
  "+md.getHashPass(mypassword));
%>

And you are done with the encryption in JSP.

NightOwl888
  • 55,572
  • 24
  • 139
  • 212
Bhagawat
  • 468
  • 4
  • 12
-4

If you want such a medium security without using SSL, try this direction:

  1. Read the current time
  2. Concat the time with the password input by user
  3. Generate the hash, md5 is simply one of the hashing algorithm you can choose, not mandatory.
  4. POST all of username, timestamp, and the hash to the server.

On server side

  1. Collect the three POST variables
  2. Check the timestamp, only accept for an agreeable time difference
  3. Retrieve the password from the database
  4. Calculate the hash in the same way on server side
  5. Compare the calculated result against the POST hash

Cons: you need to keep the plain text password on server side

Alternative: pre-hashing the password, and double hash on javascript side during login.

Ken Cheung
  • 1,778
  • 14
  • 13
  • This is no security at all. – Pablo Dec 03 '12 at 11:18
  • This is a simplified challenge response authentication mechanism which use timestamp on client side as challenge which reduces the effort of server side challenge generation and session storage. Furthermore the use of time stamp gives an option of reproduction attacking. If you're not allowed to use SSL and Javascript is the only programming language available on the client side, please state how you can do a full secure authentication. – Ken Cheung Dec 03 '12 at 11:58
  • NEVER use plain text passwords! – bitrevolution Mar 20 '18 at 15:49
  • Again, I think this topic is talking about secure authentication WITHOUT using TLS / SSL in 2012. Those who downvote me without giving an answer please really try to think about an answer. If I am going to give an answer TODAY, I'll suggest using Curve25519. By the way, using a password hash instead of "plain text" password is a default for decades and not suppose needed to mention, unless your system is made before 1995 (like some of those I still need to support). – Ken Cheung Mar 21 '18 at 03:18