Implement network auth system #5
Comments
|
You could store the password as a hash+salt on the server, requiring the client to hash twice? |
|
The issue with that is that it makes the hashed password the password, you don't need the actual password. |
|
yes, but it does improve security, as it avoids certain issues with password reuse (if you make sure the salts are different!) |
|
It might be an idea to implement a simple version of Kerberos authentication. This gets rid of the issue of hash reuse, and also provides an encryption layer to be used after said authentication. Note this still potentially leaves applications vulnerable to pass the hash attacks (actually pass the ticket), which need to be mitigated by creating new Kerberos sessions. |
|
So it looks like having passwords of some description stored on the server is non-optional - you can't use them to generate things if they're hashed and salted without compromising the hash. Instead, here's what I suggest: Still looking for other options, of course. |
I want an easy way to provide user/password auth over streams.
At one point I implemented a system as follows:
This has a significant downside in that both sides require plaintext passwords, and in the server's case, stored somewhere.
The alternatives are to use other crypto methods to get a password transmitted securely for the server to hash.
Some interesting things to look into:
The text was updated successfully, but these errors were encountered: