Looking for advice.
Patrick Horgan
patrick at Verity.COM
Wed Sep 27 22:02:04 PDT 1995
For two programs communicating via TCP/IP and exchanging authentication
information, I want to make sure that the authentication info, (user's
name and password,) doesn't pass in the clear. I can think of a few
ways to handle this.
1) Encrypt via shared key using symetric encryption.
This works but key management is a problem.
2) Encrypt via public keys using public key encryption.
There's licensing issues, and how do you generate public and private
pairs for all of the programs? That could be a lot of primes!
3) The "server" could keep user names and passwords stored as hashed values.
That way the "client" could do a hash (MD5?) before sending it.
This has the drawback of the server not having access to the unhashed
values...if it needs that access this method won't work.
What are other possibilities? What are the answers to my questions and
issues above? Can you help?
Patrick
_______________________________________________________________________
/ These opinions are mine, and not Verity's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Verity Inc. \\ Have |
| patrick at verity.com 1550 Plymouth Street \\ _ Sword |
| Phone : (415)960-7600 Mountain View \\/ Will |
| FAX : (415)960-7750 California 94303 _/\\ Travel |
\___________________________________________________________\)__________/
More information about the cypherpunks-legacy
mailing list