From: patrick@Verity.COM (Patrick Horgan)
Date: Wed, 27 Sep 95 22:02:04 PDT
To: cypherpunks@toad.com
Subject: Looking for advice.
Message-ID: <9509280458.AA24011@cantina.verity.com>
MIME-Version: 1.0
Content-Type: text/plain


For two programs communicating via TCP/IP and exchanging authentication
information, I want to make sure that the authentication info, (user's
name and password,) doesn't pass in the clear.  I can think of a few
ways to handle this.  

1) Encrypt via shared key using symetric encryption.
   This works but key management is a problem.
2) Encrypt via public keys using public key encryption.
   There's licensing issues, and how do you generate public and private
   pairs for all of the programs?  That could be a lot of primes!
3) The "server" could keep user names and passwords stored as hashed values.
   That way the "client" could do a hash (MD5?) before sending it.
   This has the drawback of the server not having access to the unhashed
   values...if it needs that access this method won't work.

What are other possibilities?  What are the answers to my questions and
issues above?  Can you help?

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Verity's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Verity Inc.                 \\    Have       |
 |  patrick@verity.com        1550 Plymouth Street         \\  _ Sword     | 
 |  Phone : (415)960-7600     Mountain View                 \\/    Will    | 
 |  FAX   : (415)960-7750     California 94303             _/\\     Travel | 
  \___________________________________________________________\)__________/