Hosting Provided By

authentication

From: dave madden <dhm(at)paradigm.webvision.com>
Date: Sun Jun 30 1996 - 17:24:46 EDT

I wonder if anyone (besides me :-) has considered doing a challenge- response authentication mechanism that's more secure than the Basic auth. Certainly, it would require a plug-in on the client side as well as a server module, but it would eliminate the current traffic in what are basically plaintext passwords without requiring SSL. Here's how it would work:

When the client requested a protected resource, the server would respond with 401 Unauthorized, and a WWW-Authenticate: header containing the name of the realm and a random number. The client would prompt the user for a password, concatenate the server's random number with one of its own, encrypt the result, and send an Authorization: header with its next request, containing its own random number in the clear, and the encrypted result. On each subsequent request from the same realm, both sides would generate new random numbers and the client would keep encrypting and returning the server's numbers. (The reason for the client contribution to the challenge is to prevent nasty servers from choosing "random" challenges that could compromise the client's key.)

Anyone interested in this sort of functionality?

regards,
d. Received on Sun Jun 30 15:46:08 1996

This message: [ Message body ]
Next message: Brian Behlendorf: "Re: authentication"
Previous message: dave madden: "Re: Items to start thinking about with Apache 1.2: c++ modules"
Next in thread: Brian Behlendorf: "Re: authentication"
Reply: Brian Behlendorf: "Re: authentication"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Aug 24 2006 - 14:43:55 EDT