From: ab411@detroit.freenet.org (David R. Conrad)
Date: Mon, 24 Jul 95 05:49:17 PDT
To: cypherpunks@toad.com
Subject: Re: big word listing
Message-ID: <199507241249.IAA28264@detroit.freenet.org>
MIME-Version: 1.0
Content-Type: text/plain




Monty Harder <monty.harder@famend.com> wrote:
 Andrew Spring <ANDREW.SPRING@PING.BE> wrote:
>AS> >  <process-ID.clock@hostname>password
>AS> >
>AS> >and sends it to the server as "APOP username 58349485whatever89583449".
>
>AS> Of course, this requires the user password to be stored unencrypted on the
>AS> server; which you may not want to do.
>
>  Here's a variation, then: Instead of using process-id.clock to
>generate the random stuff for the challenge, have your own (P)RNG make
>up a bunch of them ahead of time, calculate the hashes, and store the
>challenges and hashes on the server.

Instead of that, send H(pid,clock,hostname,H(password)) to the server, for
some hash function H().  Then the server only needs to keep H(password) 
around, rather than the plain password.  This is similar to current
systems, except the plain password isn't sent across the network.

H() can be whatever you fancy; 25 crypts, MD5, SHA-1, etc.  Of course,
I'm sure this is far from being a new idea....

--
David R. Conrad, ab411@detroit.freenet.org, http://web.grfn.org/~conrad/
Finger conrad@grfn.org for PGP 2.6 public key; it's also on my home page
Key fingerprint =  33 12 BC 77 48 81 99 A5  D8 9C 43 16 3C 37 0B 50
No, his mind is not for rent to any god or government.