Send password over TCP connection

[Laszlo Zsolt Nagy]

dcrespo wrote:

>¡Beautiful and elegant solution!
>
>Two copies of the password: one on the client, the other on the server.
>
>1. Client wants to connect
>2. Server generates a random_alphanumeric_string and sends it to the
>client
>3. Both Client and Server creates a hash string from
><password+random_alphanumeric_string>
>4. Client sends the hash string to the server
>5. Server compares his hash result with the hash string received from
>de client.
>
>I think it is a very good solution, Isn't it?
>  
>
In fact this is almost an OTP but be aware!
A man-in-the-middle attack can crack your algorithm. This is beacuse you 
create a random string only on one side.
You cannot trust in the connection you are using. You can modify you 
algorigthm to be more secure:

1. Client wants to connect
2. Server generates a server_random_alphanumeric_string and sends it to the
client
3. Client generates a client_random_alphanumeric_string and sends it to the
client too
3. Both Client and Server creates a hash string from
<server_random_alphanumeric_string+password+client_random_alphanumeric_string>

4. Client sends the hash string to the server
5. Server compares his hash result with the hash string received from
de client.

This is only a bit difference, but is makes sense. An intuder (who knows 
the your algorithm, because getting the code is not as difficult) could 
make a fake server to you, and send back HIS string (that is not 
random). Suppose we have a weakness in the hash function. The intuder 
can exploit this weakness by sending you his special string. The 
modified version has the advantage of sending two random strings, this 
way the intuder cannot take advantage of possible hash function 
weaknesses, because the hash function will be called on a string that is 
random for sure.

Best,

Les