Simple XOR a message (Javascript/Tcl)?

Question

I need the username/password to be scrambled at the client-side before sending it over via HTTP GET/POST. And the server will decode it with Tcl, before the checks against database.

Currently I'm thinking about using JavaScript for the client-side. Java Applet will also do.

Is there any way, that I can easily achieve it, using Simple XOR or any other methods? (Examples would be much appreciated)

I've found the few samples in C/Python/.NET/Java... But not in JavaScript and Tcl.

SSL is not an option to use, sadly.

Answer 1

If ssl is not an option, then I suggest the following scheme, which many sites use instead of SSL:

1. On the client side, combine the user name and password, then calculate a hash from it (MD5 is a popular choice).
2. Send the user's name and hash over to the server
3. On the server side, retrieve the password for that user from the database.
4. From the user name and password, calculate the hash and compare it with the client's hash. If the two match, then the passwords match.
5. For added security, add a little random text to the user+password mix. This random text, AKA the "salt", must be known on both the client and server sides.

Here is a suggestion on how to calculate the hash using MD5:

package require md5

proc calculateHash {user password salt} {
    return md5:md5 -hex "$user:$salt:$password"
}

How to use it:

set user "johnny"
set password "begood2mama"
set salt "myDog_is_meaner_than_yourDog"

set hash [calculateHash $user $password $salt]