[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WWW User authentication



> AFAIK, none.  I don't see how this would be helpful anyway.  If you 
> MD5 the password, I won't be able to snoop the password off the wire,
> but I can simply snoop the MD5 hash off the wire instead and since 
> that's what your authentication check must now be against, what does
> this buy you?

	It would require a previous shared secret, but wouldn't the
following protocol work (pardon my ASCII diagram):

	Q - Shared secret; Both server and client know this
	R - Random challenge;  Server sends in clear to client wanting
		to be authenticated.

	Server			Client
1)				Request auth
2)	Send R 
3)				Send back MD5( R, Q )
4)	Compare recieved value
	to computed value	

	Granted this straight off the cuff, and you can't securely
change Q via this protocol (unless you store previous MD5(R,Q)'s and
use that as the next Q (i.e. Q_n+1 = MD5(R,Q_n))).  Once someone gets
MD5 in Java done, you could send an applet that would handle the
protocol client side.

---
Fletch                                                     __`'/|
[email protected]  "Lisa, in this house we obey the       \ o.O'    ______
404 713-0414(w)      Laws of Thermodynamics!" H. Simpson   =(___)= -| Ack. |
404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43  U      ------