Can I hash the password and authenticate the client side of the user?

Question

Can I hash the password and authenticate the client side of the user?

I often make small websites and use the built-in ASP.NET membership functions in the SQL Server database using the default hash storage method.

I am wondering if there is a way to authenticate a user by hashing his password on the client, rather than sending it to clear text through a wire without using SSL.

I understand that this applies only to users with Javascript enabled.

Or ... maybe this will be a great built-in feature for Silverlight (is it on the Silverlight roadmap?)

EDIT: I'm also looking for a "degree of security." Sense, if there is a method that has some advantages over just sending the plaintext password, I would like to know what it is and why.

I know that there are many people who deal with small sites with entrances (for example, a family site or volunteers to make a site for a local culinary club) and do not see the need to acquire SSL certificates.

+5

javascript authentication passwords asp.net silverlight

Feckmore Jul 6 '09 at 16:45

source share

7 answers

, . -ssl-, , , , , . javascript -, (, , ..). , .

SSL - , . , , .

:

. ,

<form action="signin.whatever" method="post">
<input type="text" id="txtUser">
<input type="text" id="txtPass">
<input type="hidden" id="hiddenHash">
<input type="submit" onclick="hashAndSubmit()">
</form>

hashAndSubmit() hiddenHash, . :

txtUser:joeuser
txtPass:
hiddenHash:xxx345yz   // hash result

, , . -, . .

, . ( ) , SSL. - , ...

SSL-?

+6

Tim Hoolihan 06 . '09 16:52

, . , - ( , ). , ( , ), .

+2

Draemon 06 . '09 16:53

( javascript) - . , , , , , . .

+2

Landon Kuhn 06 . '09 16:54

, . - "", - , .

+1

VolkerK 06 . '09 16:51

// HTTP Digest. AFAIK , / , . , -, .

The advantage is that you follow a well-analyzed and understandable authentication protocol. Do not roll on your own.

+1

Remus Rusanu Jul 6 '09 at 16:53

source share

I found the md5 function written in javascript here

0

Federico klez culloca Jul 6 '09 at 16:54

source share

jrista · Accepted Answer · 2009-07-06T16:53:40+0000

It is possible. This is actually what Kerberos authentication does, with just a little spice added. To provide a reliable authentication mechanism, you need the following:

The general hashing algorithm both on the client and on the server.
A one-time salt value created on the server and shared by the client.
The original password stored in the database.

-, , . - , . - -, . , , .

, - - , - , .

, , . , , , , . , ASP.NET , , , , ,

, , , SSL .

( , Kerberos SRP):

http://en.wikipedia.org/wiki/Kerberos_(protocol) http://en.wikipedia.org/wiki/Secure_remote_password_protocol

Can I hash the password and authenticate the client side of the user?

More articles: