lee.bourne
Member
Hi,
I just thought I would share with the ProgressTalk community my implementation in Progress of the MD5 encryption algorithm. MD5 is a one way hashing algorithm that means that once you encode a string with it, it is virtually impossible to decrypt it due to the vast amounts of computing power that would be necessary to do so. It is useful to WebSpeed programmers in that it can provide a fairly secure method of logging in without any third party plugins or having to use browser authentication. Someone else has also written a JavaScript version of MD5 available at http://pajhome.org.uk/crypt/md5/index.html and he has explained MD5 a lot better than I could.
Using the combination of the JavaScript implementation and my Progress version you could provide a basic authentication routine along the lines of:
1 - WebSpeed provides a logon screen and sends a unique number to the client.
2 - The client concatenates the password and the unique number together the encodes them (using the JavaScript).
3 - The client sends the username as clear text and the encoded
password/unique number to the server.
4 - The server encodes the stored password for the user along with unique number it originally sent and compares the result with the one sent by the client.
5 - The server then passes back another unique "session" key which is passed back and forth and used to identify the user in subsequent web pages.
The purpose of the initial unique number is so that someone monitoring the network traffic cannot capture the username and encoded password and simply replay the original logon process. In my application I have also stored the original IP address that started the session in order to prevent anyone monitoring the session key sent back from the server and using it to bypass
the login screen.
MD5 is very reliant on bitwise operations, something Progress is not terribly good at. The code I have written does therefore have the drawback that it is a little slow, although that's not really an issue as you only have to encode things during the initial logon. I do have a C implementation of the whole thing which one day I may compile up into a DLL or UNIX library but as I haven't decided on the final platform for my application yet that wasn't really an option for me (it's also nice to remain entirely Progress).
If anyone would like a copy of my source code please email me directly and I'll be happy to pass it on. Also, if anyone feels brave enough to have a go at speeding it up or providing some more efficient bitwise operators then please feel free.
Regards,
Lee
I just thought I would share with the ProgressTalk community my implementation in Progress of the MD5 encryption algorithm. MD5 is a one way hashing algorithm that means that once you encode a string with it, it is virtually impossible to decrypt it due to the vast amounts of computing power that would be necessary to do so. It is useful to WebSpeed programmers in that it can provide a fairly secure method of logging in without any third party plugins or having to use browser authentication. Someone else has also written a JavaScript version of MD5 available at http://pajhome.org.uk/crypt/md5/index.html and he has explained MD5 a lot better than I could.
Using the combination of the JavaScript implementation and my Progress version you could provide a basic authentication routine along the lines of:
1 - WebSpeed provides a logon screen and sends a unique number to the client.
2 - The client concatenates the password and the unique number together the encodes them (using the JavaScript).
3 - The client sends the username as clear text and the encoded
password/unique number to the server.
4 - The server encodes the stored password for the user along with unique number it originally sent and compares the result with the one sent by the client.
5 - The server then passes back another unique "session" key which is passed back and forth and used to identify the user in subsequent web pages.
The purpose of the initial unique number is so that someone monitoring the network traffic cannot capture the username and encoded password and simply replay the original logon process. In my application I have also stored the original IP address that started the session in order to prevent anyone monitoring the session key sent back from the server and using it to bypass
the login screen.
MD5 is very reliant on bitwise operations, something Progress is not terribly good at. The code I have written does therefore have the drawback that it is a little slow, although that's not really an issue as you only have to encode things during the initial logon. I do have a C implementation of the whole thing which one day I may compile up into a DLL or UNIX library but as I haven't decided on the final platform for my application yet that wasn't really an option for me (it's also nice to remain entirely Progress).
If anyone would like a copy of my source code please email me directly and I'll be happy to pass it on. Also, if anyone feels brave enough to have a go at speeding it up or providing some more efficient bitwise operators then please feel free.
Regards,
Lee