[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WWW User authentication

To: [email protected]
Subject: Re: WWW User authentication
From: [email protected] (Brian C. Lane)
Date: Thu, 11 Apr 1996 14:46:23 GMT
In-Reply-To: <[email protected]>
Organization: Nexus Computing
References: <[email protected]>
Sender: [email protected]

On Tue, 9 Apr 1996 11:58:34 -0400 (EDT), you wrote:

>AFAIK, none.  I don't see how this would be helpful anyway.  If you 
>MD5 the password, I won't be able to snoop the password off the wire,
>but I can simply snoop the MD5 hash off the wire instead and since 
>that's what your authentication check must now be against, what does
>this buy you?

  It could be implemented thus:

  Server and client have a shared secret. The server sends the time, or
some random # to the client which MD5's this number and the secret, and
sends the result back to the server which then checks is.

  Similar to the APOP command for POP3 that I've never seen implemented.

    Brian


------- <[email protected]> -------------------- <http://www.aa.net/~blane> -------
  Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!)
==============  11 99 3D DB 63 4D 0B 22  15 DC 5A 12 71 DE EE 36  ============

References:
- Re: WWW User authentication
  - From: Jeff Barber <[email protected]>

Prev by Date: RE: questions about bits and bytes
Next by Date: Re: questions about bits and bytes
Prev by thread: Re: WWW User authentication
Next by thread: Re: WWW User authentication
Index(es):
- Date
- Thread