>2. Challenge-Response
>
>I do not know yet how to implement this. Advice appreciated.
The short version of how you do this is that you use some sort of hashing
scheme like MD5 or SHA1. During the installation process, you generate a
random password (or ask the user to enter one) and you store the password on
both the server and the client.
The authentication can go many ways, but the idea is for the server and
client to each assure themselves that the other has the password.
Here's one possible way to do it:
1) The server generates a random challenge and sends it and the current time
to the client. (Lets call the server's challenge Cs and the server's time
Ts.)
2) The client generates a random challenge as well and sends it and the
current time (as it sees it) to the server. (Let's call the client's
challenge Cc and the client's time Tc.)
3) The server computes a response by appending Cs, Ts, the password, Tc, and
Cc, and sends the MD5 or SHA1 hash of this response to the client.
4) The client computes a response by appending Cc, Tc, the password, Ts, and
Cs, and sends the MD5 or SHA1 hash of this response to the server.
5) Each side verifies that the other side created the correct hash, thus
proving that it knows the password.
This is oversimplified, I'm afraid, and is not totally secure as stated. But
it should give you the idea.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
