3

I am working on an application where I need to interact with server through Password Digest Authentication. I am able to create a request but not able to understand to what format I need to convert password and nonce. Should it be MD5 or SHA1 or combination of both?

My code to create SOAP message:

- (NSString*) createSoapHeader {
//nonce
srand(time(NULL));
int n = rand();
NSString* nonce = [self md5:[NSString stringWithFormat:@"%i", n]];
//binary version for base64 encoding
NSData* nonceBinary = [nonce dataUsingEncoding:NSUTF8StringEncoding];
//date
NSDateFormatter* formatter = [[NSDateFormatter alloc] init];
[formatter setDateFormat:@"yyyy-MM-dd'T'HH:mm:ss'Z'"];
NSString* created = [formatter stringFromDate:[NSDate date]];

// digest = base64(sha1(base64_decode(nonce)+created+secret))
NSString* digest_concat = [NSString stringWithFormat:@"%@%@%@",nonce, created,@"MY_SECRET_PASSWORD_ON_SERVER"];
NSString* digest = [self sha1:digest_concat];

return [NSString stringWithFormat:@"<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:v1=\"http://sita.aero/iborders/external/ReferralManagementServiceWSDLType/V1\"><soap:Header><wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><wsse:UsernameToken wsu:Id=\"UsernameToken-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\"><wsse:Username>%@</wsse:Username><wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">%@</wsse:Password><wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">%@</wsse:Nonce><wsu:Created>%@</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><v1:SearchReferralsRequest><v1:ReferralSearchCriteria><ReferralId>2038100</ReferralId></v1:ReferralSearchCriteria><v1:Paging><FetchNumber>1</FetchNumber><ResultsPerFetch>1</ResultsPerFetch></v1:Paging></v1:SearchReferralsRequest></soap:Body></soap:Envelope>",@"XXXXXXXXXXXXXUSERNAME_TOKENXXXXXXXXXXXXXXX",digest,[nonceBinary base64Encoding],created];
}

I am able to to hash with MD5 or SHA1 with the help of this link. I have checked the request in SOAPUI and it works there but SOAPUI create nonce and encrypt password by itself. I do not understand what approach is being followed internally.

halfer
  • 19,824
  • 17
  • 99
  • 186
pankaj
  • 7,878
  • 16
  • 69
  • 115
  • Do not use `rand()`, it is very insecure and seeding with the time is also insecure. Instead use `arc4random()`, it is secure. If you need random bytes use `arc4random_buf`. See [ARC4RANDOM(3)](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/arc4random.3.html). – zaph Aug 26 '15 at 14:11
  • Neither MD5 nor SHA1 are encryption, they are one-way hash functions. – zaph Aug 26 '15 at 15:34

0 Answers0