Java Reference
In-Depth Information
The MIDlet creates a timestamp and a random number, both of which are fed into the
message digest along with the user name and the password. Then the MIDlet sends the user
name, the timestamp, the random number, and the digest value up to the server. It does not
send the password as cleartext, but the password is used to calculate the digest value.
The server takes the user name and looks up the corresponding password, which should
be stored securely in a file or a database. Then it creates a digest value of the user name, pass-
word, timestamp, and random number. If the digest value created on the server matches the
digest value sent by the client MIDlet, then the server knows that the user typed in the right
password. The user has just logged in successfully.
The server needs some logic to prevent replay attacks. Specifically, the server should reject
login attempts that use timestamps and random numbers that have been used before with that
login. Although you could save the random numbers and timestamps of all user login attempts,
it would be relatively expensive to compare each of these every time a user wanted to log in. An
easier way to implement this is to save the timestamp of each user's last login attempt. For each
subsequent login attempt, the server looks up the saved timestamp. If the timestamp on the
current attempt is later than the saved timestamp, the attempt is allowed. The current attempt's
timestamp replaces the saved timestamp for this user.
Using the Bouncy Castle Cryptography Package
In the Bouncy Castle package, message digests are generically represented by the
org.bouncycastle.crypto.Digest
interface. You can add data into the message digest using
one of two
update()
methods. To calculate the message digest value, call
doFinal()
. Specific
implementations of the
Digest
interface are contained in the
org.bouncycastle.crypto.digests
package. We'll be using one called
SHA1Digest
, which implements the SHA-1 digest algorithm.
The following line shows how to create a SHA-1 message digest object:
Digest digest = new SHA1Digest();
The cryptography code is pretty simple. Most of the effort, in fact, is devoted to converting
the timestamp and random number to bytes that can be pushed into the message digest
object. Then it's just a matter of calling the
update()
method with each array of bytes.
To calculate the digest, call
Digest
's
doFinal()
method. You'll need to pass in a byte array to
hold the message digest value. To find out how long this array should be, call the
getDigestSize()
method.
byte[] digestValue = new byte[digest.getDigestSize()];
digest.dofinal(digestValue, 0);
Implementing a Protected Password Protocol
This section details an implementation of protected password login. On the client side, a
MIDlet collects a user name and password, as shown in Figure 18-2.
When the
Login
command is invoked, the MIDlet sends data to a servlet, which deter-
mines whether or not the client is authenticated. The servlet sends back a message, which is
displayed on the screen of the device, as shown in Figure 18-3.
Search WWH ::
Custom Search