Send password over TCP connection

Steve Holden steve at holdenweb.com
Mon Oct 10 11:58:27 EDT 2005 

Peter Tillotson wrote:
> simplest approach is to 1 way hash the password ... perhaps using md5
> 
No, it isn't - see below.

> normally with passwords the server only has to check if it is the same 
> word, assuming the same hash algorithms the same hash value can be 
> created at client.
> 
Unfortunately this means that the client sends the same string every 
time the user authenticates.

> Its not hugely secure ... anyone sniffing can grab your hash value and 
> then try to crack it at their leisure. It would be better to communicate 
> over ssl.
> 
It's not even that secure: all they have to do is replay the data 
sniffed from the server and they too can authenticate themselves. They 
don't have to know what the plain-text password is.

> Anyone know of a simple ssl api in python :-)
> 
A safer way would be to use some sort of challenge-response mechanism, 
where the server presents a challenge C to the client, which then 
computes some function of both C and the plain-text password provided by 
the user. The server then authenticates by performing the same 
computation on C and the known password.

As long as the server uses a different challenge each time then this is 
at least secure from replay attacks. But this scheme does have the 
weakness that the server must know the password of each user.

For something even more secure, look at OPIE and similar schemes. But 
let's not forget that all these schemes only secure the authentication 
exchange: they do nothing to protect application data.

regards
  Steve

> dcrespo wrote:
> 
>>Hi all,
>>
>>I have a program that serves client programs. The server has a login
>>password, which has to be used by each client for logging in. So, when
>>the client connects, it sends a string with a password, which is then
>>validated on the server side. The problem is obvious: anyone can get
>>the password just sniffing the network.
>>
>>How can I solve this?
>>
>>Daniel
>>


-- 
Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC                     www.holdenweb.com
PyCon TX 2006                  www.python.org/pycon/

More information about the Python-list mailing list