How to properly implement data transfer for authentication?

W

WayMax2016-09-21 14:14:01

Data transfer

WayMax, 2016-09-21 14:14:01

There is:
1. a list of users in the form of: login and password hash (each entry uses its own salt)
2. client and server software
Need:
authenticate
I imagine it this way:
1. The client sends the login to the server
2. The server sends the salt to the client
3 The client sends the password hash to the server
4. The server sends the result of the hash comparison to the client
How correct is this option? Google gives a lot of advice, but I did not see (did not understand) the right one for me. The list of users is already full and I can't change the password hashing algorithm. I myself would use the login as a salt. Or would that be even worse?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Andrew, 2016-09-21
@WayMax

You describe the CHAP protocol (it has many varieties, but the essence is approximately the same):
1) the server generates a random number and sends it to the user (it is fundamental to ensure its non-repeatability, so usually a component of the server's system time is added to it); if the password on the server is irreversibly hashed, then it sends the salt in the same packet;
2) the client hashes this random number with its password, or with a hash from the password on the sent salt, and sends it to the server;
3) the server independently performs the same operations and checks the results.
PS If you do not use a unique component, the scheme you described above will be unsafe!