As the title implies, this question spans two languages, Perl and Java. I have a Perl server with Java clients and I need to find some means of allowing the Java client to securely broadcast a login/pass. (Ref: Ecrypting passwords for the source of a few of these ideas)

I've considered having the whole connection over SSL, but concluded it required too much effort (the server is in POE which I'm still learning about... I don't wanna fiddle with the internals before I have the externals working and well understood.)

I've considered the following also:

The client connects and the server immediately sends a random string of random length between 100 and 1000 chars to the client, which the client is expected to store.

The client then sends the login name in cleartext (to allow for lookup in a database) and the password and random_string combined and encrypted/digested.

The problem with this idea is in the fact that the JCE (Java Cryptography Extension) is highly restricted and I don't want to have to add aditional 'providers'.

The other significant problem is my unfamiliarity with digital cryptography. I have a great deal of knowledge about historical techniques, but this is a whole new ballpark. I notice that HMAC-MD5 seems to exist in both Perl and Java, but now I'm faced with the problem of not realy understanding how they work, and so being unable to understand what they really do, or what restrictions there are. For example, the docs for Digest::HMAC_MD5 state only that you pass the data and a key. The presence of the key suggests that this might be two-way encryption, something I don't think I want.

Overall, I'm open to almost any suggestion, whether it builds off of my current efforts or not.

Description of the server and goals: Persistant connection. Clients connect and log in and kinda sit around for a while. (Game server of sorts.)

Thanks, everyone!