Home/ Questions/Q 662801
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T23:25:06+00:00

I have a web service on an insecure network that needs authorization. I wish

  • 0

I have a web service on an insecure network that needs authorization.

I wish to implement it over HTTP, instead of HTTPS, at the same time evading man-in-the-middle and sniffing attacks. I need only one key for the client and the server.

The client calls a server function, and the server can authenticate whether this client is right, and can give back a response, which needs to be signed not encrypted.

I have a crude idea how this could be implemented, and will give it as an example:

Pseudocode
Web service and client has already shared PASSCODE1 and PASSCODE2

First Handshake:
Client pings web service
Web service sends random string A with length 
Client checks A is nonnull, and sends Hash X=(md5(A XOR PASSCODE1) XOR 
    concat("RIGHT",random string B) XOR PASSCODE2)
Web service receives Hash X, checks if "RIGHT" is there, saves  key B, sends 
    Hash Y=(md5(B XOR PASSCODE1) XOR concat ("RIGHT", random string C) 
        XOR PASSCODE2)
Client checks if this value is right, and they are authenticated
At this point, if everything goes right, have keys B and C for this 
    particular transaction

Sample Transaction:
Client calls function(args, md5(args, C) XOR PASSCODE2)
Server returns (object(), md5(args, B) XOR PASSCODE2)

keys expire after a few minutes, and a new key pair needs to be requested

I know this method is really crude, are there any other ways to do so?

Specifically, I am looking to do this in Java.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Generally speaking, you shouldn’t be doing this yourself. Depending on the platform you are using, there is more than likely a framework available which implements the WS-Security specification.

    This specification covers message integrity as well as message encryption using plain text (in other words, over HTTP) using X.509 certificates.

    However, what becomes important is that you protect the certificates that are being used for the signing, as you can’t avoid man-in-the-middle attacks if the certificate is out in the open.

    A Google search for the terms “java WS-security” reveals a few resources on how to implement the WS-Security specification in Java.

    However, you might want to look at the Web Services Developers Pack, as it appears to be a little more standardized in the framework.

    • 0