On Wednesday, February 19, 2003, at 07:17 PM, Kurt Bigler wrote:
The requirement here is thathashes can't be symmetric, otherwise they wouldn't be hashes.
HASHA(HASHB(x)) equals HASHB(HASHA(x)) and perhaps this is not achievable
for existing HASHA functons in common use by client software. I don't know
anything about CHAP or other methods - these are just thoughts.
why not just take the sKey approach?
hash( hash( hash... <N times>... hash(x) ) ) is stored on the server. The client supplies the (N-1) hash value; the server authenticates by running hash(client-supplied-value) on it; if it matches, the client had to have known the source value of x. At the next authentication point, the client supplies the (N-2)nd hash value, and the server runs hash twice to check the value. (Server has to store what value of N should be requested to prevent a replay attack.) Only the client ever knows the value of x; so having total read access on the server gains nothing.
Granted, this requires users to reset their password every N authentications, but some (not all) would view that as a plus.
cheers,
Jeff
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
