Mary, The problem is that you're being ambiguous as to which password you mean. The VNC Authentication password is not passed from viewer to server, instead a challenge-response scheme is used. All other data, including passwords you type into the remote machine, are passed in the clear. (NB: Enterprise Edition supports an encrypted version of VNC Authentication, to which the above comments do not apply)
Challenge-response means that the server issues a challenge to the viewer, which the viewer then modifies in a pre-agreed way using the supplied password, to get the response, which the server can then verify. Cheers, Wez @ RealVNC Ltd. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of BPS > Sent: 26 November 2004 05:23 > To: [EMAIL PROTECTED] > Subject: RE: How to change encryption key? > > --- James Weatherall <[EMAIL PROTECTED]> wrote: > since the VNC > > Authentication scheme is challenge-response, and so never actually > > sends the password, encrypted or otherwise. > > Can someone please help me understand this in layman's terms? > My understanding is that the password doesn't go over the > internet, but once you're in a VNC session, someone could > snoop on that session. > > While I have this basic understanding, I'm mystified as to > how the password doesn't go over the Internet? > How does it get transmitted to the server if not over the > internet? Or have I misunderstood, and it goes over the > internet, but is encrypted? > > I drilled down on the definition of > "challenge-response", and got the following: > > "A common authentication technique whereby an individual is > prompted (the challenge) to provide some private information > (the response). Most security systems that rely on smart > cards are based on challenge-response. A user is given a code (the > challenge) which he or she enters into the smart card. > The smart card then displays a new code (the response) that > the user can present to log in." > > But I gotta say, it didn't really enlighten me ;-) > > I've only logged in to a VNC session once, and I was prompted > to give a password, but I typed in the password and seemed to > be connected without being "challenged....". > > The realvnc.com website says "This password is encrypted to > deter snooping, but the following graphical data, the VNC > protocol, is not." That makes more sense to me - that > somehow it's encrypted, but if it's encrypted via a > "challenge-response" system, I'd like to understand more > about what "challenge-response" really means, please. > > I guess I can just fumble on knowing that the password > doesn't go over the internet, or that it goes over the > internet but is encrypted(??), without understanding how that > happens, but I'd kinda like to understand how this happens, > if any one has the patience to explain it to me.... I'd also > like to be able to give a basic explanation to people that > are leery of me using VNC on their computers - be able to > give them some reassurance as to security. (I'm working on > figuring out SSH for more security, but that's a whole other > topic ;-)) _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
