You are rapidly converging on the real thing. Secure access is not
necessary for a client, and should never be made a required part of the
spec, using the the FNP sessions does not complicate things for normal
client developers.
On Tue, Jun 26, 2001 at 07:22:06PM -0700, Ian Clarke wrote:
> On Tue, Jun 26, 2001 at 10:22:05PM -0400, Benjamin Coates wrote:
> > As long as we have a secure way of negotiating the FCP port and don't rely on
> > an assumed default port. (it'd be too easy for another local user to listen
> > on the default port and spoof a FCP password request)
>
> Hmmm, good point. This suggests that a slightly more robust
> challenge-response approach would be preferable, at the risk of
> increasing the difficulty of client authorship. With the addition of a
> secure hashing algorithm to the client (SHA1 anyone?) this can be
> achieved. The protocol is:
>
> 1) Client connects to FCP port on node
> 2) node sends random string to client
> 3) client appends random string to plaintext password and hashes result
> 4) node does same
> 5) client sends hash to node which compares its hash to the one created
> by the client, and if they are the same the client is authenticated
>
> Perhaps there is an easier hashing algorithm (from an implementation
> standpoint) that we could use in place of SHA1 which would also be
> secure.
>
> Ian.
--
'DeCSS would be fine. Where is it?'
'Here,' Montag touched his head.
'Ah,' Granger smiled and nodded.
Oskar Sandberg
[EMAIL PROTECTED]
_______________________________________________
Devl mailing list
[EMAIL PROTECTED]
http://lists.freenetproject.org/mailman/listinfo/devl
