Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re: Re: Re: Re: Re: Ecrypting passwords

by Molt (Chaplain)
on Oct 06, 2003 at 10:42 UTC ( #296899=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Re: Re: Ecrypting passwords
in thread Ecrypting passwords

Good description of Digest encrytption from what I remember about it. I'd just like to add a slight addition though..

If I remember correctly from what I read in Applied Cryptography (My copy is currently on loan, alas) if required a nonce can be strengthened by adding an accurate timestamp, request counter, or other non-repeating series.

By using Digest::MD5::md5_hex("$user:$realm:$password:$series_id") as the nonce, and keeping track of 'used' nonces and rejecting them it stops the man-in-the-middle even being able to use replay attacks to see those pages that just flew past them.

After all, would you really want someone to replay your entire session for shutting down your database server when they so choose?

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: Ecrypting passwords
by tilly (Archbishop) on Oct 06, 2003 at 14:11 UTC
    That is what I meant by the phrase, The vulnerability to things like replay attacks is controllable on the server side in how it produces and verifies what the nonce was.

    However it is good to make it clear how you avoid replays, and why you would want to.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://296899]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2017-03-29 06:08 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (343 votes). Check out past polls.