On Thu, May 25, 2006 at 01:27:58PM +0100, David Simon Cooper wrote:
They don't promote the use over the internet, but then we know that. I am wondering, when they say challenge-response do you think it means the response is not exncrypted? It would be pretty pointless not sending the password in the challenge incase it gets intercepted but all password tries in the response are left as plain text?
I am assuming the response password is sent as some kind of encrypted value rather than just characters.
Generally, what happens with challenge response is that the server sends a "challenge", so potentially an encryption method, a salt, or something similar and the client then sends a response encoded using the challenge. So, in a unix type system the challenge could, I suspect, be a 2 char password (DES), and the response be the password crypted with the salt (at least, that's my basic understanding of challenge-response).
Thanks,