[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WWW User authentication

To: [email protected]
Subject: Re: WWW User authentication
From: Mike Fletcher <[email protected]>
Date: Tue, 09 Apr 1996 16:33:35 -0400
In-Reply-To: Your message of "Tue, 09 Apr 1996 11:58:34 EDT." <[email protected]>
Sender: [email protected]

> AFAIK, none.  I don't see how this would be helpful anyway.  If you 
> MD5 the password, I won't be able to snoop the password off the wire,
> but I can simply snoop the MD5 hash off the wire instead and since 
> that's what your authentication check must now be against, what does
> this buy you?

	It would require a previous shared secret, but wouldn't the
following protocol work (pardon my ASCII diagram):

	Q - Shared secret; Both server and client know this
	R - Random challenge;  Server sends in clear to client wanting
		to be authenticated.

	Server			Client
1)				Request auth
2)	Send R 
3)				Send back MD5( R, Q )
4)	Compare recieved value
	to computed value	

	Granted this straight off the cuff, and you can't securely
change Q via this protocol (unless you store previous MD5(R,Q)'s and
use that as the next Q (i.e. Q_n+1 = MD5(R,Q_n))).  Once someone gets
MD5 in Java done, you could send an applet that would handle the
protocol client side.

---
Fletch                                                     __`'/|
[email protected]  "Lisa, in this house we obey the       \ o.O'    ______
404 713-0414(w)      Laws of Thermodynamics!" H. Simpson   =(___)= -| Ack. |
404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43  U      ------

References:
- Re: WWW User authentication
  - From: Jeff Barber <[email protected]>

Prev by Date: [reputationpunks] Article on Moody's
Next by Date: Re: WWW User authentication
Prev by thread: Re: WWW User authentication
Next by thread: Re: WWW User authentication
Index(es):
- Date
- Thread