dcrespo wrote: >¡Beautiful and elegant solution! > >Two copies of the password: one on the client, the other on the server. > >1. Client wants to connect >2. Server generates a random_alphanumeric_string and sends it to the >client >3. Both Client and Server creates a hash string from ><password+random_alphanumeric_string> >4. Client sends the hash string to the server >5. Server compares his hash result with the hash string received from >de client. > >I think it is a very good solution, Isn't it? > > In fact this is almost an OTP but be aware! A man-in-the-middle attack can crack your algorithm. This is beacuse you create a random string only on one side. You cannot trust in the connection you are using. You can modify you algorigthm to be more secure:
1. Client wants to connect 2. Server generates a server_random_alphanumeric_string and sends it to the client 3. Client generates a client_random_alphanumeric_string and sends it to the client too 3. Both Client and Server creates a hash string from <server_random_alphanumeric_string+password+client_random_alphanumeric_string> 4. Client sends the hash string to the server 5. Server compares his hash result with the hash string received from de client. This is only a bit difference, but is makes sense. An intuder (who knows the your algorithm, because getting the code is not as difficult) could make a fake server to you, and send back HIS string (that is not random). Suppose we have a weakness in the hash function. The intuder can exploit this weakness by sending you his special string. The modified version has the advantage of sending two random strings, this way the intuder cannot take advantage of possible hash function weaknesses, because the hash function will be called on a string that is random for sure. Best, Les -- http://mail.python.org/mailman/listinfo/python-list
