password in a script
Mark Smith
lists at futilism.com
Wed Aug 12 09:19:01 EDT 2009
Yves, you're sending the password in the clear, so you're vulnerable
to a 'man-in-the-middle' attack, whereby someone could discover the
password.
A scheme for avoiding this is to use what's called a "nonce" value to
create an md5digest with your password.
Here's roughly how it works:
on the client:
--generate a random 4 byte 'nonce' value
repeat 4
put any byte of "0123456789abcdefghijklmnopqrstuvwxyz" after tNonce
end repeat
--get the md5digest of the nonce value + the password as base64
string and prepend the nonce value
put tNonce & base64encode(md5digest(tNonce & tPassword) into tCryptPass
--now:
put "http://" & URLEncode(userName) & ":" & URLEncode(tCryptPass) &
"@www.mondomaine.com/MyFileText.txt" into fileURLToGet
--on the server:
--get the password from local file or whatever, put it into tPassword
put byte 1 to 4 of tCryptPass into tNonce
if base64encode(md5digest(tNonce & tPassword)) = byte 5 to -1 of
tCryptPass then
authentication passed
else
authentication failed
end if
This is not industrial strength cryptography, but a reasonably easy
to implement and reasonably secure way to avoid sending your password
in the clear.
Best,
Mark Smith
More information about the use-livecode
mailing list