c - Shell security with hash -


for educational purposes i'm implementing simple remote shell program, , i'm trying wrap head around how make secure. first idea had require password. if client sends password, runs, if not, quits. then, applied simple hash function password, don't think makes more secure. in either case, if packets intercepted, attacker extract password or hashed password. what can make more secure there way use password/hashing safe basic packet interception? know ssh uses public/private keys encrypt , decrypt, more advanced need.

how challenge/response digests? server knows password "blah".

the client connects, , authenticates:

  • client: let me in!

  • server: give challenge "12345", number generated now!

    server remembers gave client "12345".

  • client wants authenticate "blah", add end of server's challenge, , calculates sha-1 of result "12345blah".

    client: response "6910972fb3148a63df7fda34bd6fccf3013d8d93"!

  • server knows password "blah", , issued challenge "12345" client—hence calculates sha-1 of "12345blah", , produces "6910972fb3148a63df7fda34bd6fccf3013d8d93". matches client's response …

    server: access granted!

important notes:

  • the server must 1 choose challenge. if client gets pick, attacker intercept 1 authentication attempt, , repeat same challenge , response valid user.

    the fact server picks different challenge every time means attacker can't replay authentication. means server needs store challenge against client's connection or session somehow, since you'll need when respond.

  • you may want use stronger sha-1 (it's little broken iirc). may want other appending password challenge, security properties depend on underlying digest function.

  • i demonstrate password "blah", nice thing now, can replace "blah" hash of "blah". server never needs store more hash, , client hashes password first before combining challenge , calculating digest.


Comments

Post a Comment

Popular posts from this blog

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more

php - Controller/JToolBar not working in Joomla 2.5 -

relevant code: jtoolbarhelper::custom('savecategories', 'save', '', 'save', false, false); ... <input type="hidden" name="controller" value="easyblogcontroller"> according can dig docs , own previous questions, should call savecategories() function in easyblogcontroller . i've tried setting value easyblog , easyblog.php (file name) current easyblogcontroller (class name). clicking on save button refreshes page. not redirect, echo or var_dump test code put in savecategories() function. var_dump ing jrequest::getvar('controller') , 'task' return correct values. creating controller object , using $controller->execute('task'); works. the values going depend on location of controller trying call, , have couple options here. typically there controller in base folder of component (likely components/com_easyblog) in file called controller.php , class name inside ...
Read more