Re: Looking for feedback/advice on authentication protocol
From: David Wagner (firstname.lastname@example.org)
From: email@example.com (David Wagner) Date: Sat, 12 Apr 2003 21:15:15 +0000 (UTC)
Oh, boy. Designing your own authentication protocol is risky. I think
it's worth trying hard to avoid this, if you can possibly avoid it.
There are many pitfalls here.
Why not just use SSL, SSH, or Kerberos? Kerberos was designed for exactly
this sort of scenario. Or, you could set up a secure connection between
the client and "login server" using SSL or SSH; then you could set up a
secure connection between the "login server" and real server similarly;
and go from there. SSL and SSH have been well-studied and seem to avoid
the most common pitfalls.
If you really, really want to design your own authentication protocol,
and if security matters, my advice would be to get help from some
experienced security consultant.