1996-04-11 - Re: WWW User authentication

Header Data

From: blane@aa.net (Brian C. Lane)
To: cypherpunks@toad.com
Message Hash: aa3367f40f7a5356d64fadfa00dde62e232f0a220b4b94fec43e884774ae4b50
Message ID: <316c8b7a.17970650@mail.aa.net>
Reply To: <199604091558.LAA22026@jafar.sware.com>
UTC Datetime: 1996-04-11 22:04:51 UTC
Raw Date: Fri, 12 Apr 1996 06:04:51 +0800

Raw message

From: blane@aa.net (Brian C. Lane)
Date: Fri, 12 Apr 1996 06:04:51 +0800
To: cypherpunks@toad.com
Subject: Re: WWW User authentication
In-Reply-To: <199604091558.LAA22026@jafar.sware.com>
Message-ID: <316c8b7a.17970650@mail.aa.net>
MIME-Version: 1.0
Content-Type: text/plain


On Tue, 9 Apr 1996 11:58:34 -0400 (EDT), you wrote:

>AFAIK, none.  I don't see how this would be helpful anyway.  If you 
>MD5 the password, I won't be able to snoop the password off the wire,
>but I can simply snoop the MD5 hash off the wire instead and since 
>that's what your authentication check must now be against, what does
>this buy you?

  It could be implemented thus:

  Server and client have a shared secret. The server sends the time, or
some random # to the client which MD5's this number and the secret, and
sends the result back to the server which then checks is.

  Similar to the APOP command for POP3 that I've never seen implemented.

    Brian


------- <blane@aa.net> -------------------- <http://www.aa.net/~blane> -------
  Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!)
==============  11 99 3D DB 63 4D 0B 22  15 DC 5A 12 71 DE EE 36  ============





Thread