Explanation of Challenge/Password used by the WSDL and the LoginLink

Access to some features of the TDS software requires a password. To avoid transmitting password as plain text during the HTTP exchange, we use the "challenge" concept to calculate a password with a limited lifespan.

Note: depending on the type of hosting that you are using, you might also use HTTPS instead of HTTP to secure the communication. WSDL and Loginlink work both on with HTTPS

The concept is the following:

  • The users have a "username" and a "password"
  • The password must not be transmitted over the communication line
  • We choose a "challenge" and we calculate a "challenge_password" that is valid only during a limited amount of time. This "challenge_password" is then transmitted to the serveur


How to choose the challenge ?

The challenge is a 32-bit integer number.

The TDS software (current version is soft_6817_g18) uses the challenge as a timestampe. This means that when a connection takes place, the server verifies that challenge>=UNIX_TIMESTAMP().

If this is not true, the autentication is refused (challenge is too old)

Les logiciels TDS (version actuelle soft_6817_g18) utilise le challenge comme Timestamp. Ce qui veut dire que lorsqu'une connexion est effectuée, le serveur vérifie si challenge>=UNIX_TIMESTAMP()

si ce n'est pas le cas l'authentification est refusée

If we choose a challenge=UNIX_TIMESTAMP() then the acces will be allowed only during one second. So if we want to make a WSDL access, we might choose for example challenge=UNIX_TIMESTAMP()+10. For the Loginlink on the TDS, the challenge is usually chosen to provide three months of validity. The LoginLink will then be usable during three months.

If is also possible, using the same manner, to create a LoginLink that will be valid much longer.

Note: obviously, if the user changes its "password", then the LoginLink will not work anymore !



challenge_password calculation

To calculate the "challenge_password", we use the following formula

challenge_password = MD5(CONCAT(user.password, challenge))

Importante note : The TDS software doesn't store the password as plain text. The user table contains the password but encoded. The stored password is stored in the table through the OLD_PASSWORD MYSQL function.  For example, if the plain password is "easyPassword", then the the password "446d5fcf152ec3ca" will be stored in TDS. The challenge calculation uses the password stored in TDS (446d5fcf152ec3ca in our example !)

Importante note II : Since version soft_6817_g18, TDS uses another password hash function. The OLD_PASSWORD is replaced by the SHA2-256 function. For example, if the password is "easyPassword", then the password stored in TDS will be "09da4e416785b0270a63e17e8b1313f4e29b814071892fe528060b17c1f0cf09".


plain text password          : easyPassword
password stored in TDS : 446d5fcf152ec3ca
chosen challenge : 1493363073
calculated challenge_password: f9cced548fcf0111054f10c704fdf8bd

This challenge_password is valid until 28.04.2018


Example with SHA2-256 hash

plain text password          : easyPassword
password stored in TDS : 09da4e416785b0270a63e17e8b1313f4e29b814071892fe528060b17c1f0cf09
chosen challenge : 1546027813
calculated challenge_password: e171c40735aae045353f9ffb617c4307037c17c91263bcd02931e24de3c4613f

This challenge_password is valid until 28.12.2018