securitycryptographychallenge-response

Security, cryptography: Stupid Challenge - Response protocol?


Ok guys just a small game:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol:

CLIENT ----------------------------- SERVER

(1)ask for challenge -------------->

(2)    <---------------------------- send SHA1 taken from the time
                                       (this is the challenge)
(3) make SHA1 xor PASSWORD --------> if it's equal to SHA1 xor stored password

(4)    <---------------------------- Grant access

For those who don't know it SHA stands for Secure Hashing Algorithm, a standard algorithm for cryptography.

I hope it's clear. Question is: If I sniff packets 2 and 3 (the "challenge" and the "challenge xor password", I do have the actual password just with another xor between them both!?!? There is other way to implement this kind of protocol??


Solution

  • How about the following:

    1. Server sends a random challenge
    2. Client sends SHA1 checksum of (challenge+password)
    3. Servers compares against SHA1 checksum of (challenge+stored password)