Consider the following interaction:
A user stores their username and password on a web server. For the sake of security, the server records a hash of the password plus some unique salt.
While the user is using a client application, it makes a request to the server submitting their username and a hash of the password plus some other unique salt.
So you have the following information on the server and need to know whether or not the request is authentic:
- The server’s salt
- The server’s hashed password
- The client’s salt
- The client’s hashed password
Again … client sends: clientSalt + MD5(clientSalt + password). Server has serverSalt + MD5(serverSalt + password). I don’t want to know the password, I just want to know if the hashes were calculated from the same password.
Without knowing the password that was hashed, is there any way to verify that both hashes are of the same password?
My goal is to allow some form of secure authentication in a client-server environment without ever exchanging the actual password over the wire. This is just one idea I’ve had, but I don’t even know if it’s possible.
That would require unhashing the password, which is not possible. If the server receives:
salt, md5sum, it can’t see what went into the md5sum.A challenge-response protocol would work instead. The server should generate a random value
nonceand send it to the client. The client calculatesmd5(md5(password) | nonce))and returns it to the server. The server verifies by checkingmd5(storedpassword | nonce).