Greetings, * Nagy László Zsolt (gandalf@xxxxxxxxxxxx) wrote: > How the md5 hashed authentication method works? Is it protected against > replay attacks? Here is what I have in mind: > > * If the server stores salted hashed passwords, then I do not see how > the server could authenticate the users without getting the password in > clear text? If you're interested in how these things can be addressed, you should review the SCRAM protocol. > * If the server stores (unsalted) password hash values, then basically > there is almost no difference between a clear text password and an md5 > hash, because anyone can replay the send the same hash value and log in > again. If the hash was sent in the clear, then that would be true, but it isn't. > Am I missing something? There is a challenge/response compoent, so the md5 hash which is stored is not what is sent across the wire. That prevents replay attacks when the attacker is simply sniffing the network. If the attacker is able to acquire the as-stored hash then, yes, that can be used to authenticate. Thanks! Stephen
Attachment:
signature.asc
Description: Digital signature
