Hi! Thanks for your response! The password I'm referring to is the password that was setup for accessing a remote computer through VNC, that is typed in the "VNC Viewer: authentication [no encryption]" screen.
Mary --- James Weatherall <[EMAIL PROTECTED]> wrote: > Mary, > > The problem is that you're being ambiguous as to > which password you mean. > The VNC Authentication password is not passed from > viewer to server, instead > a challenge-response scheme is used. All other > data, including passwords > you type into the remote machine, are passed in the > clear. > (NB: Enterprise Edition supports an encrypted > version of VNC Authentication, > to which the above comments do not apply) > > Challenge-response means that the server issues a > challenge to the viewer, > which the viewer then modifies in a pre-agreed way > using the supplied > password, to get the response, which the server can > then verify. > > Cheers, > > Wez @ RealVNC Ltd. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > BPS > > Sent: 26 November 2004 05:23 > > To: [EMAIL PROTECTED] > > Subject: RE: How to change encryption key? > > > > --- James Weatherall <[EMAIL PROTECTED]> wrote: > > since the VNC > > > Authentication scheme is challenge-response, and > so never actually > > > sends the password, encrypted or otherwise. > > > > Can someone please help me understand this in > layman's terms? > > My understanding is that the password doesn't go > over the > > internet, but once you're in a VNC session, > someone could > > snoop on that session. > > > > While I have this basic understanding, I'm > mystified as to > > how the password doesn't go over the Internet? > > How does it get transmitted to the server if not > over the > > internet? Or have I misunderstood, and it goes > over the > > internet, but is encrypted? > > > > I drilled down on the definition of > > "challenge-response", and got the following: > > > > "A common authentication technique whereby an > individual is > > prompted (the challenge) to provide some private > information > > (the response). Most security systems that rely on > smart > > cards are based on challenge-response. A user is > given a code (the > > challenge) which he or she enters into the smart > card. > > The smart card then displays a new code (the > response) that > > the user can present to log in." > > > > But I gotta say, it didn't really enlighten me ;-) > > > > > I've only logged in to a VNC session once, and I > was prompted > > to give a password, but I typed in the password > and seemed to > > be connected without being "challenged....". > > > > The realvnc.com website says "This password is > encrypted to > > deter snooping, but the following graphical data, > the VNC > > protocol, is not." That makes more sense to me - > that > > somehow it's encrypted, but if it's encrypted via > a > > "challenge-response" system, I'd like to > understand more > > about what "challenge-response" really means, > please. > > > > I guess I can just fumble on knowing that the > password > > doesn't go over the internet, or that it goes over > the > > internet but is encrypted(??), without > understanding how that > > happens, but I'd kinda like to understand how this > happens, > > if any one has the patience to explain it to > me.... I'd also > > like to be able to give a basic explanation to > people that > > are leery of me using VNC on their computers - be > able to > > give them some reassurance as to security. (I'm > working on > > figuring out SSH for more security, but that's a > whole other > > topic ;-)) > > __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
