On Fri, 2009-04-10 at 00:28 +0100, Daniel Watkins wrote: > Hello all, > > I'm currently working on an implementation of the server-side of an > already-defined protocol. So, no, I can't do things differently. :) > > The protocol performs authentication by passing a token which is > "md5(md5(password) + timestamp)" and the timestamp. I then need to > calculate the same on the server. > > However, I don't have direct access to either 'password' or > 'md5(password)', so I can't do this. > > There are a couple of ways I can think of to deal with this: > * Store the MD5 of the password in a separate location. This is > nasty because it means I need to be aware of whenever the > password is changed.
This is the normal way things are done with, for example, HTTP digest authentication setups. And, yes, you do need to be aware of whenever the password changes. However, that's probably not as hard as it seems, since you be able to control all of the password change paths. Firstly, consider using Django 1.1-beta and use proxy models so that you can override the set_password() method on the User model. Then you can make sure you store (somewhere else, possibly) the appropriate MD5 hash. Now, you have to be a bit careful here about who/what can access that hash. The reason straight hashes like that aren't stored in password tables is because they're vulnerable to dictionary attacks, aided by techniques such as rainbow tables (I'm mentioning that term so that you have something to search for if you're interested). Hence, hashes are normally mixed up a bit more via the inclusion of some random salt. Unfortunately, the salt them makes it impossible to use the same values for the MAC in your setup. That's nothing unique to Django. It does mean you have to be *really* careful of those raw MD5 hashes, though. To the point that perhaps a disposable web service password is to be used in those cases, rather than the normal login password (if login via other means are possible). > * Force Django to use MD5 to store passwords. This is nasty > because it means I have to use MD5 for passwords. However, I'm > already being forced to use MD5 elsewhere, so I'd be happy to do > this if it's possible. You could possibly do this using proxy models and changing set_password() again. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---