Re: [NTLK] [ANN] APOP 1.0

From: Stainless Steel Rat (ratinox_at_peorth.gweep.net)
Date: Sun Apr 14 2002 - 19:25:25 EDT


* Steve Weyer <weyer_at_kagi.com> on Sun, 14 Apr 2002
| I assume this isn't SSL functionality for https:

| or would this just be used for password challenges?
| the usual one uses a simple base64 encoding, and there have not situations
| (AFAIK) needing more sophisticated challenge responses.

For password authentication. The idea is that the client hashes the user's
login and pass phrase and sends the hash string to the server instead of
sending clear text. APOP (Alternate POP) Authentication adds some entropy
to the mix by incorporating a time stamp into the hashes. The scheme is
vulnerable to partial known clear text attacks (an attacker presumably
knows the login name and time stamp if he is listening in on the
connection), but it is much better than standard POP authentication (clear
text login and password).

This is in addition to MD5's more obvious use for file checksuming.

As I said, I wonder if it is of any use as a shared library. I think not,
but I still wonder.

-- 
Rat <ratinox_at_peorth.gweep.net>    \ Do not taunt Happy Fun Ball.
Minion of Nathan - Nathan says Hi! \ 
PGP Key: at a key server near you!  \ 
       That and five bucks will get you a small coffee at Starbucks.

-- Read the List FAQ/Etiquette: http://www.newtontalk.net/faq.html Read the Newton FAQ: http://www.guns-media.com/mirrors/newton/faq/ This is the NewtonTalk mailing list - http://www.newtontalk.net



This archive was generated by hypermail 2.1.2 : Sun May 05 2002 - 14:03:42 EDT