本文介绍了安全性,加密技术:愚蠢的挑战-响应协议?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

好家伙只是一个小游戏:

Ok guys just a small game:

我有一个项目的规格.在某个时候,他们要求以下内容通过网络对密码进行加密,说这是一个挑战响应协议:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol:


CLIENT ----------------------------- SERVER

(1)ask for challenge -------------->

(2)    <---------------------------- send SHA1 taken from the time
                                       (this is the challenge)
(3) make SHA1 xor PASSWORD --------> if it's equal to SHA1 xor stored password

(4)    <---------------------------- Grant access

对于那些不了解它的人,SHA代表安全哈希算法,这是一种用于加密的标准算法.

For those who don't know it SHA stands for Secure Hashing Algorithm, a standard algorithm for cryptography.

我希望这很清楚.问题是:如果我嗅探数据包2和3(挑战"和挑战xor密码"),我确实拥有实际的密码,并且两者之间还有另一个xor! ??

I hope it's clear. Question is: If I sniff packets 2 and 3 (the "challenge" and the "challenge xor password", I do have the actual password just with another xor between them both!?!? There is other way to implement this kind of protocol??

推荐答案

有关以下内容:

  1. 服务器发送随机挑战
  2. 客户端发送(挑战+密码)的SHA1校验和
  3. 服务器将与(挑战+存储的密码)的SHA1校验和进行比较

这篇关于安全性,加密技术:愚蠢的挑战-响应协议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-12 07:44