[clug] A Question About Password Handling and Authentication Mechanisms

James Ring sjr at jdns.org
Mon Nov 24 22:52:18 MST 2014


I'm no expert but you may be describing Kerberos:
https://en.wikipedia.org/wiki/Kerberos_(protocol)

On Mon, Nov 24, 2014 at 9:36 PM, jm <jeffm at ghostgun.com> wrote:

> I've been meaning to look into/ask if there exists a challenge-response
> mechanism for passwords where the password doesn't have to be stored in
> plain text or in a recoverable form, ie it can be stored using a
> cryptographic hash. In fact, no where is the password stored or
> transmitted over a channel in a recoverable form. Does anyone know of
> such a beast?
>
> I image it would operate something like this:
>
> Say you have a password in plain text, password. It is then stored on
> the server hashed, Hserver(password). Upon connection from a client a
> challenge is sent to the client and using the plain text password
> entered by the user the client carries out a one way calculation, call
> this hash Hclient(password, challenge) which is then sent to the server
> for verification. To do this the server performance another calculation
> on the hashed password, Verifier(stored_password, challenge), and
> compares it to the client supplied hash. In other words,
>
> 1)  Server stores password
>   stored_password = Hserver(password)
>
> 2) Client connects.
>
> 3) Server send challenge to client, challenge.
>
> 4) Client calculates response to challenge with a one-way function
>   response = Hclient(password, challenge)
>
> 5) Client sends response to server
>
> 6) Server calculated verifier code
>    verifier = Verifier(stored_password, challenge)
>
> 7) Server compares results and allows access if there is a match
>     if response == verifier:
>         allow access
>    else:
>       disconnect
>
>
> Jeff.
>
>
> !DSPAM:547415e512416308818977!
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>


More information about the linux mailing list