Send password over TCP connection

[Dan Stromberg]

On Mon, 10 Oct 2005 08:06:27 -0700, dcrespo wrote:

> Hi all,
> 
> I have a program that serves client programs. The server has a login
> password, which has to be used by each client for logging in. So, when
> the client connects, it sends a string with a password, which is then
> validated on the server side. The problem is obvious: anyone can get
> the password just sniffing the network.
> 
> How can I solve this?
> 
> Daniel

What I've been doing for this, is to:

1) Store two copies of a (symmetric), one on the client host, one on the
server host.

2) When the client wants to connect to the server, have the server
generate a random string of bits, hash the client's password with the
string, and then the random string to the client

3) The client then hashes its copy of the same password with that random
string, and sends the result back to the server

4) The server, upon receiving the correct hash result, provides service

There are a lot of collisions being found in hash algorithms these days. 
I haven't heard about any in the RIPEMD family of hash algorithms yet.

Another possibility is to just use Diffie-Helman key exchange (pretty
simple to code the base algorithm in python - I have an implementation
in pure python for you if you want - but I hear that some numbers are
more prone to attack than others, which my code does not attempt to take
into account) to get a shared encryption key on both ends of the
communication, and then encrypt everything with that.