Ron Peterson wrote:
> > I was referring to a different aspect of security. I was referring to
> > preventing more of a "man-in-the-middle" type of attack. If you have a
> > packet sniffer somewhere between the client and the server, then someone
> > could read your packet containing the encrypted password and use it to
> > authenticate to the server, without knowing or caring what the real
> > password is. If you can send the encrypted password to the server that
> > matches, you're in.
>
> How so? The server is going to take the string you send it, and one-way
> hash it. If you send it the hash value, it will hash that. Unless that
> happens to hash to itself, which is exceedingly unlikely, you will not
> be authenticated.
>
> What kind of system are you talking about?
Man in the middle attack, _ultra-simplified_:
User A uses a voice-print, saying: "my voice is my password" to enter.
Cracker B tape-records user A saying the above phrase, and then plays it
back to hack in.
On a lan:
User A logs in and sends a password, hashed as "drowssap".
Cracker B sniffs it, logs in, and sends a password, hashed as "drowssap".
or
User A logs in and sends a password, "password".
Cracker B sniffs it, logs in, and sends a password, "password".
The "man in the middle" attack has many variants, but basically
it centers around capturing the credentialing process in such a way
that having the *actual* credentials are irrelevant.
-Ronabop
--
Personal: ron@opus1.com, 520-326-6109, http://www.opus1.com/ron/
Work: rchmara@pnsinc.com, 520-546-8993, http://www.pnsinc.com/
The opinions expressed in this email are not neccesarrily those of myself,
my employers, or any of the other little voices in my head.
