Challenge/Response authentication

[Dale Strickland-Clark]

I've not done any research into this yet so I could have this
completely about my ears.

We need to do some basic authentication to control access to some
resources through HTTP.

As I understand it, challenge/response works thus:

1. client prompts server to connect.
2. server invents a random string.
3. server sends random string to client.
4. client produces SHA/MD5 digest of random string
5. client updates digest with password producing client digest
6. client sends client digest to server with userid
7. server looks up client password
8. server produces SHA/MD5 digest of random string
9. server updates digest with client password producing authentic
digest
9. server compares client digest with authentic digest
10. if matched client is authenticated.

Can anyone see any holes in this and does anyone have any experience
of such a scheme? Is there anything we should look out for?

I'm planning to use the MD5 module for the digests.

Thanks.
--
Dale Strickland-Clark
Riverhall Systems Ltd