Brett McCoy wrote: > On Thu, Apr 24, 2008 at 9:37 PM, Tyler Littlefield <[EMAIL PROTECTED]> wrote: > >> If you want a one-way, I'd say sha1. If you want decompression, AES256 >> should be fine. you still didn't explain how strong you wanted it to be, >> though. I'm not to familiar with encryption algos, and which works best >> where, those are the ones I've used in the past. > > I recently used a simple session--based scheme to encrypt passwords > for a SOAP client: > > initiate session > send authentication request to server > get back a response with a nonce value based on the time > put password through sha1 digest > create a string with nonce + sha1 digest > create md5 digest from that string and send it back to server with username > server does the reverse to authenticate session > continue with requests and responses for distributed application > > Not completely secure unless a secure transport layer is used, of > course, since the session id and the message digest could still be > snooped. > > -- Brett > > ------------------------------------------------------------ > "In the rhythm of music a secret is hidden; > If I were to divulge it, it would overturn the world." > -- Jelaleddin Rumi
BTW, SHA-1 is considered to be broken and MD5 is considered to be broken AND cracked. As such, neither algorithm should be used in any security critical applications. -- Thomas Hruska CubicleSoft President Ph: 517-803-4197 *NEW* MyTaskFocus 1.1 Get on task. Stay on task. http://www.CubicleSoft.com/MyTaskFocus/
