问题描述

好家伙只是一个小游戏:

Ok guys just a small game:

我有一个项目的规格.在某个时候，他们要求以下内容通过网络对密码进行加密，说这是一个挑战响应协议:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol:

CLIENT ----------------------------- SERVER

(1)ask for challenge -------------->

(2)    <---------------------------- send SHA1 taken from the time
                                       (this is the challenge)
(3) make SHA1 xor PASSWORD --------> if it's equal to SHA1 xor stored password

(4)    <---------------------------- Grant access

对于那些不了解它的人，SHA代表安全哈希算法，这是一种用于加密的标准算法.

For those who don't know it SHA stands for Secure Hashing Algorithm, a standard algorithm for cryptography.

我希望这很清楚.问题是:如果我嗅探数据包2和3(挑战"和挑战xor密码")，我确实拥有实际的密码，并且两者之间还有另一个xor！ ??

I hope it's clear. Question is: If I sniff packets 2 and 3 (the "challenge" and the "challenge xor password", I do have the actual password just with another xor between them both!?!? There is other way to implement this kind of protocol??

推荐答案

有关以下内容:

1. 服务器发送随机挑战
2. 客户端发送(挑战+密码)的SHA1校验和
3. 服务器将与(挑战+存储的密码)的SHA1校验和进行比较

这篇关于安全性，加密技术:愚蠢的挑战-响应协议?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！