安全,crytography:愚蠢Challege - 响应协议? [英] Security, crytography: Stupid Challege - Response protocol?
问题描述
Ok are just a small game:
Ok guys just a small game:
我有一些项目的规格。在某些时候,他们要求以下内容通过网络加密密码,说这是一个挑战响应协议:
I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol:
CLIENT ----------------------------- SERVER
(1)ask for challenge -------------->
(2) <---------------------------- send SHA1 taken from the time
(this is the challenge)
(3) make SHA1 xor PASSWORD --------> if it's equal to SHA1 xor stored password
(4) <---------------------------- Grant access
对于那些不知道的人,SHA代表Secure Hashing Algorithm,一种用于加密的标准算法。
For those who don't know it SHA stands for Secure Hashing Algorithm, a standard algorithm for cryptography.
我希望很清楚。问题是:如果我嗅探数据包2和3(挑战和挑战xor密码,我有实际的密码只是与他们之间的另一个xor!?!?有另外一种方式来实现这种协议
I hope it's clear. Question is: If I sniff packets 2 and 3 (the "challenge" and the "challenge xor password", I do have the actual password just with another xor between them both!?!? There is other way to implement this kind of protocol??
推荐答案
如何:
- 服务器发送随机挑战
- 客户端发送SHA1校验和(挑战+密码)
- 服务器与SHA1校验和(challenge +存储密码)
这篇关于安全,crytography:愚蠢Challege - 响应协议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
