The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

nmurison (1) [Avatar] Offline

I've really enjoyed reading your book, but couldn't help but notice there seems to be some confusion about some cryptology terms.

The MD5 algorithm is known as a hashing or message digest algorithm, not an encryption algorithm. In broad terms, encryption is a process that converts plaintext data into ciphertext using an encryption key, which can only be decrypted by someone who knows the decryption key (these may be the same, depending on the algorithm). A message digest algorithm is a one-way function that processes an input of variable size and generates a fixed-length output. Calling MD5 an encryption algorithm might not be a deadly sin, but it will raise some eyebrows.

Also, the "public and private keys" protocol that you describe in Section 7.3.3 is not a protocol that would be considered to be using public and private keys by security professionals. The protocol you describe is better known as a simple Challenge-Response Protocol.

The Challenge is the random value sent by the server to the client-side code when the user visits the login page. This value is also known as a Nonce. The Response is the hash returned by the client-side code to the server.

In broad terms, a public key encryption scheme uses a Public key to encrypt data which can only be decrypted using the corresponding Private key. The Public key can be published for all to see, while the Private key must only be known to the owner of the keypair (i.e. the recipient of the message). A good scheme will also ensure that it is infeasible to figure out the value of the Private key based on the Public key value.

I think it should also be mentioned that the scheme outlined in section 7.3.3 only ensures that the password is not communicated in clear text. Developers still need to consider threats such as session hijacking, information disclosure and man-in-the-middle attacks. Safeguarding the password is of little value if an attacker is able to hijack the authenticated session by sniffing and replaying the session identifier (most likely a cookie) and do whatever they want.

If in doubt, use HTTPS. As a general rule, use what has already been developed, published and extensively tested, and don't reinvent the wheel. Inventing your own cryptography schemes can be lots of fun, but can also give you a false sense of security, and should never be used to safeguard sensitive information or functionality.

Again, I've really enjoyed the book, and it's helped me kickstart my attempts at making more responsive and interactive web applications. Keep up the great work!