Ok guys just a small game:
I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol:
CLIENT ----------------------------- SERVER (1)ask for challenge --------------> (2) <---------------------------- send SHA1 taken from the time (this is the challenge) (3) make SHA1 xor PASSWORD --------> if it's equal to SHA1 xor stored password (4) <---------------------------- Grant access
For those who don't know it SHA stands for Secure Hashing Algorithm, a standard algorithm for cryptography.
I hope it's clear. Question is: If I sniff packets 2 and 3 (the "challenge" and the "challenge xor password", I do have the actual password just with another xor between them both!?!? There is other way to implement this kind of protocol??
How about the following: