Stephen:
Heya. When you make a VNC connection, the password you
type is not sent across the wires, not in plaintext, and not
encrypted. Instead, the exchange uses something called "challenge
response". Good description here:
http://en.wikipedia.org/wiki/Challenge-response
Works mostly like this: the server creates a random number,
encrypts it with the known password, and sends that in a message
to the viewer. Anyone "spying" on the wires sees only randomness.
The viewer receives that message and decrypts the random number
using the password the user provided (ie, typed into the viewer).
It then combines that number with the password, and creates a
"hash" (ie, a one-way function) of the result. It sends that hash
result back to the server. The server then does the same thing:
it combines the random number with the known password, uses the
same hash algorithm, and gets a result. If that result matches
the result sent by the viewer, then the viewer must "know" the
same password. That is, the viewer had a correct "response" to
the server's "challenge".
hope that helps,
Scott
How secure are the VNC passwords in the free version of realVNC?
By that, I mean the following: I understand that the VNC session itself is
not encrypted, so that someone could intercept the VNC session. My question
is: when I _open_ a VNC session by connecting from a client to a server, is
the password sent in plain text, or is it encrypted? (If it's sent in plain
text, then it would be a bad idea to advise naive users that it's OK to have
the VNC password identical to their UNIX account password.)
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
