Security, cryptography: Stupid Challenge - Response protocol?

前端 未结 4 1806
时光说笑
时光说笑 2021-02-11 05:48

Ok guys just a small game:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a cha

4条回答
  •  青春惊慌失措
    2021-02-11 06:21

    You are right -- if you capture the challenge and (challenge XOR password) then extracting the password is easy.

    You need to use proper encryption in step 3, not XOR. Encrypt the challenge with the password.

    To make an attacker's life harder you could add random data to what you encrypt to: e.g. encrypt paddingCHALLENGEpadding. The server doesn't care what the padding is, it knows where to look for the challenge, but it means an attacker won't know what the whole plaintext is.

提交回复
热议问题