big word listing
David R. Conrad
ab411 at detroit.freenet.org
Mon Jul 24 05:49:17 PDT 1995
Monty Harder <monty.harder at famend.com> wrote:
Andrew Spring <ANDREW.SPRING at PING.BE> wrote:
>AS> > <process-ID.clock at hostname>password
>AS> >
>AS> >and sends it to the server as "APOP username 58349485whatever89583449".
>
>AS> Of course, this requires the user password to be stored unencrypted on the
>AS> server; which you may not want to do.
>
> Here's a variation, then: Instead of using process-id.clock to
>generate the random stuff for the challenge, have your own (P)RNG make
>up a bunch of them ahead of time, calculate the hashes, and store the
>challenges and hashes on the server.
Instead of that, send H(pid,clock,hostname,H(password)) to the server, for
some hash function H(). Then the server only needs to keep H(password)
around, rather than the plain password. This is similar to current
systems, except the plain password isn't sent across the network.
H() can be whatever you fancy; 25 crypts, MD5, SHA-1, etc. Of course,
I'm sure this is far from being a new idea....
--
David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/
Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page
Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50
No, his mind is not for rent to any god or government.
More information about the cypherpunks-legacy
mailing list