Friday, January 2, 2004 08:59 AM
Security is a big subject matter in it of itself and is not easily explained in a forum answer. Before you get into devising a solution, you should ask yourself what you are trying to protect, from whom, and what price (in terms of complexity and efficiency) are you willing to pay.
Encryption of passwords typically works this way. The server must first give the client a secret key (which is really a random number). The client then uses this key to encrypt the password and gives it to the server. Typical encryption algorithms include the likes of 3-DES, MD5 and SHA. The server, in turn, remembers what secret key it gave that client and decrypts the password with that key. This requires your client/server interactions to be stateful (i.e. to have sessions). You must never pass the key and the encrypted password together otherwise anybody can intercept the call and decrypt the password.
If you are deploying this app behind a firewall (i.e. in a corporate network), do you really need to have encrypted passwords? In other words, what are you trying to protect and from whom are you shielding passwords?