Secure User authentication using HMAC and SKID2
In some cases it may be usefull to provide secure authentication
without the need of an encryption layer. We'll now discuss how to
implement the protocol SKID2 using the mhash HMAC functions.
Ok let's now assume we're on the server side and we want to authenticate
a client using username-password but without transmitting the password
in the clear.
Step 1. The server sends a random string (over 8 bytes) to the client
Let's call it RANDOM1.
We send client RANDOM1.
Step 2. The client reads RANDOM1 and gets
the username and password from the user.
The client now calculates
X = HMAC( password, RANDOM1+RANDOM2).
RANDOM2 is a random string generated by the client. Client sends
the server X, USERNAME, RANDOM2.
Step 3. The server now has the values: RANDOM1, RANDOM2, USERNAME, X.
a. Checks the users database for USERNAME and retrieves the
user's password (PASSWORD).
b. Checks if HMAC( PASSWORD, RANDOM1+RANDOM2) == X
If it is not the same abort.
Now we have the user authenticated.
distrib
>
Mandriva
>
8.2
>
i586
>
media
>
contrib
>
by-pkgid
>
2bd88e229b631623e9a0a4e3013d9632
>
files
>
16
