>2. Challenge-Response
>
>I do not know yet how to implement this. Advice appreciated.

        The short version of how you do this is that you use some sort of hashing 
scheme like MD5 or SHA1. During the installation process, you generate a 
random password (or ask the user to enter one) and you store the password on 
both the server and the client.

        The authentication can go many ways, but the idea is for the server and 
client to each assure themselves that the other has the password.

        Here's one possible way to do it:

        1) The server generates a random challenge and sends it and the current time 
to the client. (Lets call the server's challenge Cs and the server's time 
Ts.)

        2) The client generates a random challenge as well and sends it and the 
current time (as it sees it) to the server. (Let's call the client's 
challenge Cc and the client's time Tc.)

        3) The server computes a response by appending Cs, Ts, the password, Tc, and 
Cc, and sends the MD5 or SHA1 hash of this response to the client.

        4) The client computes a response by appending Cc, Tc, the password, Ts, and 
Cs, and sends the MD5 or SHA1 hash of this response to the server.

        5) Each side verifies that the other side created the correct hash, thus 
proving that it knows the password.

        This is oversimplified, I'm afraid, and is not totally secure as stated. But 
it should give you the idea.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to