Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Rob Spoor
  • Devaka Cooray
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Jj Roberts
  • Al Hobbs
  • Piet Souris

HTTP Basic Authentication password

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am preparing for the SCWCD certification.
I have several references.
In at least one reference it is indicated that the password is passed as clear text utilizing HTTP Basic Authentication. In at least one other text is is indicated the password is passed using base 64 encoding, a weak type of encryption. Which is right?? Comments welcome. Thank you in advance for your help.
Michael
 
Ranch Hand
Posts: 3244
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Michael
According to what I've read they've all been in agreement on Basic Authentication using Base64 encoding. After your question I checked the RFC and it does say Base64.
What book do you have that is incorrect?
 
Enthuware Software Support
Posts: 4580
45
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Password is definitely sent in Base64 encoding. However, encoding is not same as encryption. There is a subtle difference which causes the Base64 encoded string to be termed as "clear text".
An encrypted string cannot be decrypted unless you have something (usually, the key) that was used to encrypt it even if you know the algorithm. For example, if you encrypt a string using Blowfish, nobody can ( well, leave alone cracking for now) decrypt it unless one has the key even if one knows that the original string was encrypted using Blowfish.
Encoding, on the other hand, has no such protection. Anybody who knows the algorithm can decode it. For example, ASCII, EBCDIC, Unicode are all encoding mechanism. You don't have to do any decryption to find out that 65 is ASCII for A. Similary, Base64 is another encoding mechanism. Anybody can find out what a Base64 encoded string means in ASCII.
For this reason, it is said that the password is sent in "clear text". I remember there was a question on this particular aspect in the exam too.
HTH,
Paul.
[ August 07, 2002: Message edited by: Paul Anil ]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic