Digest authentication and MD5 passwords

[casper]

I have implemented Peter Brombergs "Digest authentication with
database" (http://www.eggheadcafe.com/articles/20030701.asp) on my
website.
It works great, a login box is displayed and username and password are
validated with the sql data.
My problem is that this implementation requires that the password are
stored in clear text, I want to change this so the password are stored
MD5 encrypted.

So my questions are:
Is possible?
Can Brombergs code be changed to support MD5 passwords?
Are there any alternatives now that I have upgraded to ASP.NET 2.0?

Thanks

Casper

 

[Ken Schaefer]

Hi,

I didn't read through all the code, however with Digest Authentication, the
password should come from the client already hashed. You could store that
hashed version in your DB as well. From memory, the Digest spec then
requires the client to use a temporary challenge, plus the hash, to generate
a new hash. You'd need to perform this operation server-side as well. Read
the Digest RFC spec for details is my recommendation.

Cheers
Ken


:I have implemented Peter Brombergs "Digest authentication with
: database" (http://www.eggheadcafe.com/articles/20030701.asp) on my
: website.
: It works great, a login box is displayed and username and password are
: validated with the sql data.
: My problem is that this implementation requires that the password are
: stored in clear text, I want to change this so the password are stored
: MD5 encrypted.
:
: So my questions are:
: Is possible?
: Can Brombergs code be changed to support MD5 passwords?
: Are there any alternatives now that I have upgraded to ASP.NET 2.0?
:
: Thanks
:
: Casper
: