httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@ooo.lanl.gov>
Subject Re: secure transfer using skey
Date Fri, 01 Sep 1995 13:16:07 GMT
 
> >I think the skey code is PD, so could be dropped into clients and
> >servers.
> >
> >I must be missing something, cos this is just too simple.
> 
> As I recall, keeping the clients and server synchronized is
> the problem -- skey assumes too much about the quality of the
> communication link.  

hmmm,    

  server calls skey with users name, and is given a challenge
  server calls skey one-time-password generator with challenge and
    client password
  server gets a one-time-password
  server encrypts data using o-t-p and sends data and challenge to client

  client reads challenge and calls skey o-t-p generator using clients
    password
  client gets the same o-t-p as the server saw earlier
  client decrypts the data using the o-t-p

  client and server now pass the challenge back and forth with all their
  encrypted data. 
  The server can call skey whenever it wants in order to generate new
  challenges.

I can't see any obvious synchronisation issues here.

> Phill Hallam-Baker is the person here who knows about that stuff
> (I avoid it like the plague, since security requires too much time
> to keep up to date).  Phill (hallam@w3.org) will likely
> talk your ear (or fingers) off on the subject.

the security people scare me  :-)


rob

Mime
View raw message