Having the client hash the password before sending it over the wire is a start, but doesn't help much if the server isn't who the client thinks it is, since the attacker can just play back the password hash at the real server.
That's why HTTP digest authentication includes a variable "nonce" value. The server sends the nonce to the client when it first attempts to access the page. The client calculates the hash of the password and the nonce together, and sends that back to the server. The server verifies that the hash it recieved was calculated with a valid password and a nonce that was actually sent to that client recently.
If someone tries to replay an old password hash, the server won't accept it, because it won't have a valid nonce.
If the nonce used contains some (cryptographic) function of the time and the client's IP, you can avoid the problem of having to have the server remember which nonces are valid.
The problem, of course, is that the server has to have the password in plaintext so it can calculate the hash and see if it matches the one it got from the client.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
| & || & |
| < || < |
| > || > |
| [ || [ |
| ] || ] ||