Challenge/Response authentication
Paul Rubin
phr-n2002b at NOSPAMnightsong.com
Fri Jul 26 19:51:20 EDT 2002
Dale Strickland-Clark <dale at riverhall.NOTHANKS.co.uk> writes:
> I see the process working something like this:
>
> 1. The client system calls a CGI script on our server and retrieves a
> challenge string and thus initiates a session
> 2. The client system then constructs the frame page with its response
> in the url for the frame source (among other things).
> 3. If authenticated, we display the requested forms (in sequence),
> passing control to a pre-aranged url at the end of processing.
>
> This isn't a sensitive application. If someone breaks into it, all
> they a rewarded with is a series of forms for fill in. We just want to
> limit the scope for idle buggering about.
Well, depending on what happens as a result of their filling in the
forms (do you send anyone's money to an address supplied in the form?)
you may not have to worry too much.
I'm still not clear on why you need challenge-response anyway though.
Suppose the client just puts HMAC(current date/time, secret key) into
the URL along with the date/time in hex. Then use the HTTP Referer
header to figure out who the client is (or put that in the URL too)
and authenticate the URL. By examining the date/time you can reject
old/stale URL's.
More information about the Python-list
mailing list