On Mon, 10 Oct 2005 08:06:27 -0700, dcrespo wrote: > Hi all, > > I have a program that serves client programs. The server has a login > password, which has to be used by each client for logging in. So, when > the client connects, it sends a string with a password, which is then > validated on the server side. The problem is obvious: anyone can get > the password just sniffing the network. > > How can I solve this? > > Daniel
What I've been doing for this, is to: 1) Store two copies of a (symmetric), one on the client host, one on the server host. 2) When the client wants to connect to the server, have the server generate a random string of bits, hash the client's password with the string, and then the random string to the client 3) The client then hashes its copy of the same password with that random string, and sends the result back to the server 4) The server, upon receiving the correct hash result, provides service There are a lot of collisions being found in hash algorithms these days. I haven't heard about any in the RIPEMD family of hash algorithms yet. Another possibility is to just use Diffie-Helman key exchange (pretty simple to code the base algorithm in python - I have an implementation in pure python for you if you want - but I hear that some numbers are more prone to attack than others, which my code does not attempt to take into account) to get a shared encryption key on both ends of the communication, and then encrypt everything with that. -- http://mail.python.org/mailman/listinfo/python-list
