Challenge/Response authentication

Steve Holden sholden at holdenweb.com
Fri Jul 26 10:19:40 EDT 2002 

"Dale Strickland-Clark" <dale at riverhall.NOTHANKS.co.uk> wrote in message
news:05a2ku0canlcg4a3t3cuck7q9cqlrntu46 at 4ax.com...
> I've not done any research into this yet so I could have this
> completely about my ears.
>
> We need to do some basic authentication to control access to some
> resources through HTTP.
>
> As I understand it, challenge/response works thus:
>
> 1. client prompts server to connect.
> 2. server invents a random string.
> 3. server sends random string to client.
> 4. client produces SHA/MD5 digest of random string
> 5. client updates digest with password producing client digest
> 6. client sends client digest to server with userid
> 7. server looks up client password
> 8. server produces SHA/MD5 digest of random string
> 9. server updates digest with client password producing authentic
> digest
> 9. server compares client digest with authentic digest
> 10. if matched client is authenticated.
>
> Can anyone see any holes in this and does anyone have any experience
> of such a scheme? Is there anything we should look out for?
>
> I'm planning to use the MD5 module for the digests.
>

Dale:

You should be careful about terminology here, since the wording you
currently use conflicts with standard terms in the HTTP lexicon. There are
currently three well-known authentication schemes:

Basic: "user:pass" is sent as the Base64-encoded content of the
"Authorization" (?) header.

Challenge/response (Internet Explorer only, AFAIK): the server issues a
challenge, the client uses the username/password to mangle the challenge,
the server confirms it would mangle in the same way and thereby
authenticates the user.

Digest (AFAIK only available on Apache, no browser implementations):
something much more open and secure than challenge/response. Tim
Hammerquist's posting puts you straight on the details.

If you get digest authentication working it would be neat to retrofit it to
the library.

regards
-----------------------------------------------------------------------
Steve Holden                                 http://www.holdenweb.com/
Python Web Programming                http://pydish.holdenweb.com/pwp/
-----------------------------------------------------------------------

More information about the Python-list mailing list