[CQ-Contest] An evil reason behind fishy spots?
cqcontest at kg6haf.com
Sat Apr 12 11:46:56 EDT 2003
>Sending passwords on rf is rather worthless as anyone with a tnc can
>monitor them. To do it securely would require a one-time use password
>that changes for each login,
Using a challenge/response exchange you can verify a password without
sending it over the link. (Server encrypts a random number with what
it thinks is the user's password. Sends same random number to client
(challenge). Client encrypts random number with password and sends
result back (response). Server compares both encrypted results to be
sure they are the same.)
Even this requires a lot of infrastructure change to implement, of course.
-- Ward (the pedantic one who wrote authentication software once upon
a time and is glad he no longer has anything to do with it) / KG6HAF
More information about the CQ-Contest