Also see HTTP digest authentication in RFC 2617 [1] which discusses the appropriate security issues and includes a C sample implementation. Unfortunately, you will suffer from dictionary attacks unless you use asymmetric keys or shared secrets but maintaining those is an overhead you might not wish to have.
Adrian. [1] http://www.ietf.org/rfc/rfc2617.txt On 06 January 2003 17:21, Craig Andera wrote: > > There is a thread in the old DotNet archive that talks about > > how to protect against replay attacks without using SSL. I > > believe it has to do with the client requesting a token from > > the server, then hashing the token with the password and > > passing that to the sever on a second trip. > > I'd be careful of this route: if you do it naively, it's going to be > fairly simple to run a dictionary attack against weak passwords. > > I haven't looked at CHAP, though. > > You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or > subscribe to other DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
