[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: big word listing





Monty Harder <[email protected]> wrote:
 Andrew Spring <[email protected]> wrote:
>AS> >  <process-ID.clock@hostname>password
>AS> >
>AS> >and sends it to the server as "APOP username 58349485whatever89583449".
>
>AS> Of course, this requires the user password to be stored unencrypted on the
>AS> server; which you may not want to do.
>
>  Here's a variation, then: Instead of using process-id.clock to
>generate the random stuff for the challenge, have your own (P)RNG make
>up a bunch of them ahead of time, calculate the hashes, and store the
>challenges and hashes on the server.

Instead of that, send H(pid,clock,hostname,H(password)) to the server, for
some hash function H().  Then the server only needs to keep H(password) 
around, rather than the plain password.  This is similar to current
systems, except the plain password isn't sent across the network.

H() can be whatever you fancy; 25 crypts, MD5, SHA-1, etc.  Of course,
I'm sure this is far from being a new idea....

--
David R. Conrad, [email protected], http://web.grfn.org/~conrad/
Finger [email protected] for PGP 2.6 public key; it's also on my home page
Key fingerprint =  33 12 BC 77 48 81 99 A5  D8 9C 43 16 3C 37 0B 50
No, his mind is not for rent to any god or government.