OBSCURING A PASSWORD

If you want to send a password from a browser to a server and you don't
really care about it being cryptographically secure but you would 
prefer
that it wasn't in plain text, then use a Message Digest algorithm.
Message Digest algorithms are functions that can only be computed one 
way. Once
the algorithm has been applied to a value, it is not possible to go
backwards and find out the original value. The only way is to pass in 
random
input until you get the value.

Message Digest algorithms are more commonly known as "one-way hash
functions," but due to the similarity with hashing for Hashtables, we 
will
ignore that name.

A very simplified example is the square-function. If you square the
number 5, there is only one possible result. However, if you start with 
the
answer 25, it is not possible to tell whether the original number was 5 
or
-5. A Message Digest algorithm is merely a  very complex version of 
this.

Java provides an easy way to accomplish this via the
java.security.MessageDigest class. As with all parts of Java security, 
it is possible to
plug in extra algorithms, but the default JVMs come with two Message 
Digests
as standard: MD5 and SHA-1. The MessageDigest class turns a series of
bytes into another series of bytes, so you also need to handle turning 
a
String into bytes and vice versa. Here's the code:

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

....

String password = "josephine";
MessageDigest md = null;

try {
// MD5 is the normal one to use, else put SHA-1 here.
md = MessageDigest.getInstance("MD5");
} catch(NoSuchAlgorithmException nsae) {
nsae.printStackTrace();
}

byte[] input = password.getBytes();
md.update(input);
byte[] output = md.digest();
md.reset();

return convertToHexString(output);

Note that the major thing missing is the convertToHexString method. The
reason for converting the bytes back to a String is that it's easier to
debug. And putting a String into a file or database is a lot simpler 
than
adding the binary byte array.

Here's an implementation of this method:

static public String convertToHexString(byte[] bytes) {
int size = bytes.length;
StringBuffer buffer = new StringBuffer(size*2);

for(int i=0; i<size; i++) {
// convert byte to an int
int x = (int)bytes[i];

// account for int being a signed type and byte
// being unsigned
if(x < 0) {
x += 256;
}

// this outputs capitalised hex, ie: "0A"
// rather than "0a"
String tmp = Integer.toHexString( x );

// pad out "1" to "01" etc.
if(tmp.length() == 1) {
tmp = "0"+tmp;
}
buffer.append(tmp);
}

return buffer;
}

Now your applet can send the Message Digest of the password, rather 
than
the plain-text password. But what do you do if you are utilizing HTML?
Well there is a free JavaScript library which can MD5 a string on the
client side and send it to the server.
http://click.online.com/Click?q=31-V_YRIjMkk61Jq0lyLAGOqaA6ND9R 


Message Digesting is not just useful for obscuring text. It can also be
used to create a unique ID for a piece of text or file. This is known 
as
a Checksum, and while a Message Digest is slower at this than using a
Checksum such as CRC32 or Adler32, it has a much lower chance of two
different files returning the same value.

Web browsers and servers support something known as HTTP Basic
Authentication. You use this when a browser pops up a System Login 
Window, rather
than a HTML page. This requires configuration on the server and doesn't
scramble the password. There are latter versions which do scramble the
password, but these have traditionally been poorly supported in 
browsers.

Finally, Message Digests are an integral part of most security
protocols, usually used along with encryption algorithms. Knowing how 
to use them
can be the first, tiny step towards a secure application.


----------------------------------------