Paul,
What you want is called a zero-knowledge protocol. Some of the
characteristics of a 0K protocol are:
The password is not known by the server - can't try to use it at
another server.
A third party watching the exchange will gain no knowledge of the
password.
The protocol is not re playable - a third party cannot record client
responses and replay them.
The protocol is not subject to a man-in-the-middle attack
This protocol is also cross authentication - the server is
authenticated to the client as well as the client to the server
So how does this work?
An initial password is created that is known by the administrator and is
told to the user(secretly).
The user logs in using the initial password and then changes the password.
Now the user is the ONLY one that knows the password - neither the
administrator or the server knows it.
The protocol:
Client
Server
Acquire the Username
Username--------------->
Use username and lookup in DB
get Salt and HSP out of DB
Salt is a random number chosen when PW was created
HSP is a cryptographic hash of the Salt and PW
pick a random number - Cs (Server Challenge)
encrypt Cs using HSP as key - HSP(Cs)
<----------------------Salt,
HSP(Cs)
Acquire the PW
compute HSP
Decrypt Cs
pick a random number - Cc (Client Challenge)
Encrypt Cc, Cs using HSP as key - HSP(Cc, Cs)
HSP(Cc, Cs)-------------------->
Decrypt Cc and Cs-which is called Rc(Client Response)
Compare Rc with Cs - if not the same, close the connection
otherwise, mark the connection as authenticated and
save Cs and Cc - use to create master session key
encrypt Cc with HSP as the key
<------------------------------HSP(Cc)
decrypt HSP(Cs) and call it Rs(Server Response)
compare Cc with Rs
if not the same, close connection
otherwise, mark connection as authenticated and
save Cs and Cc - use to create master session key
The reason Cs and Cc are both used to create the master session key is
so that both the client and the server contribute entropy to the key.
Don't be afraid to ask questions - there is a lot of subtle things here
that have not been fully explained. There are also things that can be
done with this protocol to make things more difficult for an attacking
client or a forged server.
Doug
