Challenge & Response

The passwords entered by the users into the password fields of the security forms are sent to the the server as clear text. As long as the web application is protected with https protocol this is not a problem.

Usually for the cases where there is no https is used, the passwords are protected with "Challence/Response" technique. According to this technique the server generates a unique id (Challenge) each time and this id is carried to the client. The password entered by the user is encrypted with MD5 using this Challenge and posted to the server.

Even if the password sent to the server is captured by 3. parties it is unusable because next time the challenge will be different.

The elements of the library branch "Security > Extra > ChaResp" are protected with this technique. The usage is very simple; Whenever you need to use one of the elements listed in the following table use the one on the right.

Normal Element	Challenge & Response Element
Security > ChangePassword	Security > Extra > ChaResp > ChangePassword
Security > CreateNewUser	Security > Extra > ChaResp > CreateNewUser
Security > Login	Security > Extra > ChaResp > Login
Security > ReldbSecurityBroker	Security > Extra > ChaResp > ReldbSecurityBroker
Security > ResetPassword	Security > Extra > ChaResp > ResetPassword

Warning! Challenge & Response cannot be used for the existing systems since the way that the user passwords are stored is different.

Elements

Please refer to the normal elements for the help of Challenge & Response elements using the following links.