Re: Send password over TCP connection

I think you said the same as me: Client: Password = "password" h = Hash(Password) h is "GddTHww90lze7vnmxG" (whatever) Sends h over the network to the server. h is a string, so this approach is simply vulnerable. SRP seems to be very good, but because I don't know it well, I think I'll delay it

Re: Send password over TCP connection

"dcrespo" <[EMAIL PROTECTED]> writes: > Important data like diplomatic traffic. Must be accessible from all > Clients inmediatly a client publish his data. Its an online system. OK, if it's actual diplomatic traffic you need to work with your government about criteria. If you're in the US, you'd

Re: Send password over TCP connection

> Well, I mean, what kind of data is it? Sports chat? Personal > correspondence? Financial info like credit card numbers? Medical records? > Military/diplomatic traffic? I'm asking how severe the security requirements > are. Important data like diplomatic traffic. Must be accessible from

Re: Send password over TCP connection

"dcrespo" <[EMAIL PROTECTED]> writes: > > Can you say what your application is? That will help figure out > > how far you need to go to protect these passwords, and what > > alternatives might be possible. > > Sure, no problem (see this on fixed text): Well, I mean, what kind of data is it? Spo

Re: Send password over TCP connection

> Can you say what your application is? That will help figure out how far you > need to go to protect these passwords, and what alternatives might be > possible. Sure, no problem (see this on fixed text): ___ MasterServer ___ /// || | \\

Re: Send password over TCP connection

"dcrespo" <[EMAIL PROTECTED]> writes: > Ok, I understand... What about the MD5? Is it good enough to use when > saving a hashed password on the database? > > For example: > user_input = raw_input("Type your password: ") > password = md5.md5(user_input).hexdigest() > SavePasswordInDatabase(user,pas

Re: Send password over TCP connection

dcrespo wrote: > > Ok, I understand it. What about the MD5? Is it good enough to use when > saving a hashed password on the database? > > For example: > user_input = raw_input("Type your password: ") > password = md5.md5(user_input).hexdigest() > SavePasswordInDatabase(user,password) It would be

Re: Send password over TCP connection

> Do you know how any other system manages to do this? Linux, for example > assuming properly configured system)? The passwords aren't stored: hashes > of the passwords are stored (with additional things thrown in to prevent > certain kinds of attacks even if someone nabs the password (/etc/s

Re: Send password over TCP connection

Ok, I understand... What about the MD5? Is it good enough to use when saving a hashed password on the database? For example: user_input = raw_input("Type your password: ") password = md5.md5(user_input).hexdigest() SavePasswordInDatabase(user,password) -- http://mail.python.org/mailman/listinfo/

Re: Send password over TCP connection

dcrespo wrote: > then, what you proppose? I'll assume that question was for me, in response to my comment that one should never store passwords in the clear. Do you know how any other system manages to do this? Linux, for example (assuming a properly configured system)? The passwords aren't s

Re: Send password over TCP connection

>If you're saying that people have no choice but to trust that their >passwords, stored in the clear on the server of some idiot who didn't >know better, are safe from casual administrator observation and safe >from hackers stealing the password file, then you shouldn't be allowed >anywhere ne

Re: Send password over TCP connection

then, what you proppose? -- http://mail.python.org/mailman/listinfo/python-list

Re: Send password over TCP connection

Laszlo Zsolt Nagy wrote: > Peter Hansen wrote: >> Ignoring all the other issues, any solution which actually requires >> the password to be stored on the server is a bad solution. >> Administrators should not have access to user passwords, and in >> addition users should not be put in the posi

Re: Send password over TCP connection

Paul Rubin wrote: >Laszlo Zsolt Nagy <[EMAIL PROTECTED]> writes: > > >>This is a bit offtopic here. I read the RFC and I do not see why SRP >>is not vulnerable to dictionary attacks. >>If I have a working client software then I can use it to reveal >>passwords. Isn't it a dictionary attack? >>

Re: Send password over TCP connection

Laszlo Zsolt Nagy <[EMAIL PROTECTED]> writes: > This is a bit offtopic here. I read the RFC and I do not see why SRP > is not vulnerable to dictionary attacks. > If I have a working client software then I can use it to reveal > passwords. Isn't it a dictionary attack? Dictionary attack in this con

Re: Send password over TCP connection

>If you really want to do it right, use SRP, . > > This is a bit offtopic here. I read the RFC and I do not see why SRP is not vulnerable to dictionary attacks. If I have a working client software then I can use it to reveal passwords. Isn't it a dictionary attack? Can

Re: Send password over TCP connection

>Ignoring all the other issues, any solution which actually requires the >password to be stored on the server is a bad solution. Administrators >should not have access to user passwords, and in addition users should >not be put in the position of having to trust your server-side security >to

Re: Send password over TCP connection

dcrespo wrote: >¡Beautiful and elegant solution! > >Two copies of the password: one on the client, the other on the server. > >1. Client wants to connect >2. Server generates a random_alphanumeric_string and sends it to the >client >3. Both Client and Server creates a hash string from > >4. Client

Re: Send password over TCP connection

dcrespo wrote: > Two copies of the password: one on the client, the other on the server. [snip] > I think it is a very good solution, Isn't it? Ignoring all the other issues, any solution which actually requires the password to be stored on the server is a bad solution. Administrators should no

Re: Send password over TCP connection

On Tue, 11 Oct 2005 01:21:55 +0200, Michael Ströder wrote: > Dan Stromberg wrote: >> [quoted text muted] > > http://www.faqs.org/rfcs/rfc2945.html > > Ciao, Michael. OK, thanks for the reference. I guess I neglected to stress that we're talking about using random strings of characters, not dic

Re: Send password over TCP connection

Dan Stromberg <[EMAIL PROTECTED]> writes: > > No. It's vulnerable to dictionary search. Use SRP if you can. > Where can I learn more about this? http://srp.stanford.edu as already mentioned. Also, RFC 2945 describes an older version (still ok). -- http://mail.python.org/mailman/listinfo/python-

Re: Send password over TCP connection

Dan Stromberg wrote: > On Mon, 10 Oct 2005 15:13:14 -0700, Paul Rubin wrote: >> >>Use SRP if you can. > > Where can I learn more about this? http://www.faqs.org/rfcs/rfc2945.html Ciao, Michael. -- http://mail.python.org/mailman/listinfo/python-list

Re: Send password over TCP connection

On Mon, 10 Oct 2005 15:13:14 -0700, Paul Rubin wrote: > "dcrespo" <[EMAIL PROTECTED]> writes: >> [quoted text muted] > > No. It's vulnerable to dictionary search. Use SRP if you can. Where can I learn more about this? Thanks! -- http://mail.python.org/mailman/listinfo/python-list

Re: Send password over TCP connection

> Sounds like it, but how is it different from what I just described? :) That's right, but I wanted to rewrite it... I was for confirm my recent acquired knowlegde :) With "alphanumeric" I meant the md5 hash (for example). -- http://mail.python.org/mailman/listinfo/python-list

Re: Send password over TCP connection

"dcrespo" <[EMAIL PROTECTED]> writes: > 3. Both Client and Server creates a hash string from > > 4. Client sends the hash string to the server > 5. Server compares his hash result with the hash string received from > de client. > > I think it is a very good solution, Isn't it? No. It's vulnerabl

Re: Send password over TCP connection

"dcrespo" <[EMAIL PROTECTED]> writes: > Hi. I found TSL, a Python Library that supports SRP. > Do you know where can I find a sample client and server code? Thanks > for your help. I don't know about TSL, but TLSLite (www.trevp.net/tlslite) supports SRP. -- http://mail.python.org/mailman/listinfo

Re: Send password over TCP connection

On Mon, 10 Oct 2005 14:29:20 -0700, dcrespo wrote: > ¡Beautiful and elegant solution! > > Two copies of the password: one on the client, the other on the server. > > 1. Client wants to connect > 2. Server generates a random_alphanumeric_string and sends it to the > client > 3. Both Client and Se

Re: Send password over TCP connection

On 10 Oct 2005 13:31:51 -0700, dcrespo <[EMAIL PROTECTED]> wrote: > Hi. I found TSL, a Python Library that supports SRP. > Do you know where can I find a sample client and server code? Thanks > for your help. http://trevp.net/tlslite/ It comes with examples. I use it in several servers and clie

Re: Send password over TCP connection

¡Beautiful and elegant solution! Two copies of the password: one on the client, the other on the server. 1. Client wants to connect 2. Server generates a random_alphanumeric_string and sends it to the client 3. Both Client and Server creates a hash string from 4. Client sends the hash string to

Re: Send password over TCP connection

On Mon, 10 Oct 2005 08:06:27 -0700, dcrespo wrote: > Hi all, > > I have a program that serves client programs. The server has a login > password, which has to be used by each client for logging in. So, when > the client connects, it sends a string with a password, which is then > validated on the

Re: Send password over TCP connection

Hi. I found TSL, a Python Library that supports SRP. Do you know where can I find a sample client and server code? Thanks for your help. -- http://mail.python.org/mailman/listinfo/python-list

Re: Send password over TCP connection

How about an OTP (One Time Password) algorithm? It is described in RFC2289. http://www.faqs.org/rfcs/rfc2289.html I have a working implementation in Messlib. You can download it an look at the "MessageSocket.SecureMessageSocket" class. That is a modified version where a good random generator is

Re: Send password over TCP connection

> Anyone know of a simple ssl api in python :-) Perhaps pow may help: http://sourceforge.net/projects/pow or pyopenssl: http://pyopenssl.sourceforge.net/ Regards, Josef -- http://mail.python.org/mailman/listinfo/python-list

Re: Send password over TCP connection

Peter Tillotson wrote: > simplest approach is to 1 way hash the password ... perhaps using md5 > No, it isn't - see below. > normally with passwords the server only has to check if it is the same > word, assuming the same hash algorithms the same hash value can be > created at client. > Unfort

Re: Send password over TCP connection

simplest approach is to 1 way hash the password ... perhaps using md5 normally with passwords the server only has to check if it is the same word, assuming the same hash algorithms the same hash value can be created at client. Its not hugely secure ... anyone sniffing can grab your hash value a

Re: Send password over TCP connection

"dcrespo" <[EMAIL PROTECTED]> writes: > I have a program that serves client programs. The server has a login > password, which has to be used by each client for logging in. So, when > the client connects, it sends a string with a password, which is then > validated on the server side. The problem i

Send password over TCP connection

Hi all, I have a program that serves client programs. The server has a login password, which has to be used by each client for logging in. So, when the client connects, it sends a string with a password, which is then validated on the server side. The problem is obvious: anyone can get the passwor