Security, cryptography: Stupid Challenge - Response protocol?

Question

Ok guys just a small game:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a cha

Answer 1

That's a pretty horrible protocol. If this is something someone wants you to implement, refuse to. There are existing, vetted protocols for this type of thing. If this is a game where you point out all the flaws - okay.

• Anyone who hears steps 2 & 3 knows the password
• Anyone who hears step 3 and notes the time can brute-force the password if he has any idea of the precision of the time on the server
• I can pretend to be a server (arp poisoning, dns rediction, etc), and get your password, never completing step 4 and feigning a timeout
• Vulnerable to Man in the Middle Attacks because there's no shared secret between client/server or certificates on the server
• Relies on the server storing the SHA1(time) and waiting for a response, so I can overload the server with requests for challenges and never reply.

And I'm definetly missing some more.