To avoid clear text transmission of passwords and username, use Message Digests.

Send the digest of the password (which is the same digest stored in the user database).

However, a MITM can listen in  -and simply resend that same digest and prove to be the user (replay attack). To avoid this, first send ONLY the USERNAME. Once received, the server will create a random challenge and send it back to the user.

At this point, the UI displays a password entry field. The user enters the password – a digest of the password is created – and the digest is used to encrypt the random challenge (symmetric encryption).

The server, on receiving the encrypted random message, can simply perform the same encryption of it’s own random message (using the digest stored in the database), to see if they match.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin