neraliu's blog internet profession in between hongkong/china and silicon valley (no longer, but the world!)

authenticate the credential through http

if you wanna to authenticate the user through plain http, the basic idea is to ask the user to have username/password pair, however, this solution poses few limitation. first the username/password pair poses the risk of being sniffed in the open public network, second, the password is static for every round of authentication, once the password is being compromised, the revoke of password is needed (just think of the cost of revoking password is always hugh & troublesome). however, due to some application limitation, we wanna to authenticate the user with the plain http, so how can we do that?

assuming that the username/password pair has been shared among the user and the server secretly and successfully, instead of asking the user to send the username/password pair for authentication, we try to generate a signature based on the username/password, for example, the signature can be equal to the md5 of string concatation of username and password. during the authentication, the user can send the username with the signature to the server end, while the server end compute the signature based on the alogrithms agreed on (which is the md5 of the string concatation of username and password). in this way, the server can authenticate the user is the right person as he/she know how to generate the signature with the right password. in order to address the second limitation above, we can make the alogrithm of signature generation little bit sophisticated, like putting the timestamp into, making the signature changes based on time. with the further extend, the alogrithm of signature generation can pick up more users' information to make it more difficult to guess, like the client ip etc.

disclaimer: this is not the comprehensive design of the secure protocol, it is simply a blog article in describing security topic.