This is one of the things happening last week that I managed to not tell you guys about. Don’t ask me why.
Branden has released code for SHA1 Secure Hash for Flash MX
So what is SHA1? I’ll steal one of Branden’s comments:
It is a checksum on steroids, and here’s how that’s good:
I want to validate against the server, but I don’t want to send the actual password accross. So, what I do is contact the server and ask for a random value. The server then records down my IP and associates it with that value. Then, I take the password, combine it with that random value and pass it through a crypto hash. Then, I send the hash and my username to the server. The server then looks up the password for my username and then does the same thing I did and combines that password with the random value and hashes it. If the hash it created matched the one I sent to the server bam! It lets me in. I’ve just authenticated without the need to actually send the password over the wire.
So basically, what is going on is that we are making a checksum. First on the server, then on the client. The resulting data sent from the client won’t be anything that can later be decoded, but it can be checked against the know data and checksum we created on the server. Works great for sending passwords and other data we know, need to validate.