Security, cryptography: Stupid Challenge - Response protocol?

前端 未结 4 1807
时光说笑
时光说笑 2021-02-11 05:48

Ok guys just a small game:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a cha

4条回答
  •  遇见更好的自我
    2021-02-11 06:16

    That's a pretty horrible protocol. If this is something someone wants you to implement, refuse to. There are existing, vetted protocols for this type of thing. If this is a game where you point out all the flaws - okay.

    • Anyone who hears steps 2 & 3 knows the password
    • Anyone who hears step 3 and notes the time can brute-force the password if he has any idea of the precision of the time on the server
    • I can pretend to be a server (arp poisoning, dns rediction, etc), and get your password, never completing step 4 and feigning a timeout
    • Vulnerable to Man in the Middle Attacks because there's no shared secret between client/server or certificates on the server
    • Relies on the server storing the SHA1(time) and waiting for a response, so I can overload the server with requests for challenges and never reply.

    And I'm definetly missing some more.

提交回复
热议问题