>2. Challenge-Response > >I do not know yet how to implement this. Advice appreciated.
The short version of how you do this is that you use some sort of hashing scheme like MD5 or SHA1. During the installation process, you generate a random password (or ask the user to enter one) and you store the password on both the server and the client. The authentication can go many ways, but the idea is for the server and client to each assure themselves that the other has the password. Here's one possible way to do it: 1) The server generates a random challenge and sends it and the current time to the client. (Lets call the server's challenge Cs and the server's time Ts.) 2) The client generates a random challenge as well and sends it and the current time (as it sees it) to the server. (Let's call the client's challenge Cc and the client's time Tc.) 3) The server computes a response by appending Cs, Ts, the password, Tc, and Cc, and sends the MD5 or SHA1 hash of this response to the client. 4) The client computes a response by appending Cc, Tc, the password, Ts, and Cs, and sends the MD5 or SHA1 hash of this response to the server. 5) Each side verifies that the other side created the correct hash, thus proving that it knows the password. This is oversimplified, I'm afraid, and is not totally secure as stated. But it should give you the idea. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]