[clug] A Question About Password Handling and Authentication Mechanisms
jm
jeffm at ghostgun.com
Mon Nov 24 22:36:18 MST 2014
I've been meaning to look into/ask if there exists a challenge-response
mechanism for passwords where the password doesn't have to be stored in
plain text or in a recoverable form, ie it can be stored using a
cryptographic hash. In fact, no where is the password stored or
transmitted over a channel in a recoverable form. Does anyone know of
such a beast?
I image it would operate something like this:
Say you have a password in plain text, password. It is then stored on
the server hashed, Hserver(password). Upon connection from a client a
challenge is sent to the client and using the plain text password
entered by the user the client carries out a one way calculation, call
this hash Hclient(password, challenge) which is then sent to the server
for verification. To do this the server performance another calculation
on the hashed password, Verifier(stored_password, challenge), and
compares it to the client supplied hash. In other words,
1) Server stores password
stored_password = Hserver(password)
2) Client connects.
3) Server send challenge to client, challenge.
4) Client calculates response to challenge with a one-way function
response = Hclient(password, challenge)
5) Client sends response to server
6) Server calculated verifier code
verifier = Verifier(stored_password, challenge)
7) Server compares results and allows access if there is a match
if response == verifier:
allow access
else:
disconnect
Jeff.
!DSPAM:547415e512416308818977!
More information about the linux
mailing list