Security, cryptography: Stupid Challenge - Response protocol?

Question

Ok guys just a small game:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a cha

Answer 1

You are right -- if you capture the challenge and (challenge XOR password) then extracting the password is easy.

You need to use proper encryption in step 3, not XOR. Encrypt the challenge with the password.

To make an attacker's life harder you could add random data to what you encrypt to: e.g. encrypt paddingCHALLENGEpadding. The server doesn't care what the padding is, it knows where to look for the challenge, but it means an attacker won't know what the whole plaintext is.