[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WWW User authentication



On Tue, 9 Apr 1996 11:58:34 -0400 (EDT), you wrote:

>AFAIK, none.  I don't see how this would be helpful anyway.  If you 
>MD5 the password, I won't be able to snoop the password off the wire,
>but I can simply snoop the MD5 hash off the wire instead and since 
>that's what your authentication check must now be against, what does
>this buy you?

  It could be implemented thus:

  Server and client have a shared secret. The server sends the time, or
some random # to the client which MD5's this number and the secret, and
sends the result back to the server which then checks is.

  Similar to the APOP command for POP3 that I've never seen implemented.

    Brian


------- <[email protected]> -------------------- <http://www.aa.net/~blane> -------
  Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!)
==============  11 99 3D DB 63 4D 0B 22  15 DC 5A 12 71 DE EE 36  ============