> There is a thread in the old DotNet archive that talks about > how to protect against replay attacks without using SSL. I > believe it has to do with the client requesting a token from > the server, then hashing the token with the password and > passing that to the sever on a second trip.
I'd be careful of this route: if you do it naively, it's going to be fairly simple to run a dictionary attack against weak passwords. I haven't looked at CHAP, though. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
