Authentication Protocol, is it secure?

From: Anonymous (anonymous_at_home.net)
Date: 01/07/05 

Date: Fri, 07 Jan 2005 11:59:50 GMT

I found an authentication protocol where the client generates a
timestamp/random number, hashes these with the password, sends them all to
the server and then the server, in addition to verifying the hash with its
version of the users password, checks to ensure that the timestamp is
within an acceptable delta of its own time, checks to ensure that the
random number is not the 'last used random number', and, if all of this
passes, it stores the current random number as the 'last used random
number' and grants the client access.

The vulnerability in this protocol is that it allows a replay attack if
the client signs off and then back on within the alloted time delta
because it only stores ONE 'last used random number'. It seems to me that
random numbers are completely unnecessary and that the minor change of
simply storing the 'last used timestamp' and then, during the next login
for this client, ensuring that the 'current' timestamp is greater than the
'last used timestamp' would be much more secure since it does not allow
any replay attack whatsoever.

Does the random number serve any additional purpose or do you agree that the
protocol that I described is more secure than the original one? Are there
any additional considerations that I have missed?

Many thanks for any input.

Relevant Pages

  • Re: network booting
    ... So the client would need to tell on which offset into on of the ... The client asks the server to open a specific file (by ... component of DOS 3.3, as well as RWTS. ... code on the C64 can send commands (using a serial protocol called IEC) ...
    (comp.sys.apple2)
  • Re: client -server interaction over XML supporting multiple protocols
    ... > NETBEUI to access the server to access the functionalities exposed. ... > server doesnot know in advance which client is using what protocol. ... size of the XML and Xfunctionality will determine the demands ...
    (comp.lang.cpp)
  • OpenSSH: SSH2 sshd - Increase key size from 2048 to 8192 bits (Cygwin)
    ... I am only using the SSH2 protocol. ... key, normally 768 bits, generated when the server starts. ... The client compares the RSA host key ... the server and the client enter an authentication ...
    (comp.security.ssh)
  • Authenticating authorised clients was Re: Helpful clients in client-server Nethack
    ... I don't see how an asymmetric cypher would help. ... that the client is approved by the organisers. ... CHAP, challenge handshake authentication protocol. ... The closed source clients and server know a passphrase. ...
    (rec.games.roguelike.nethack)
  • Re: Help a Noobie please with opening a port
    ... Unless the WARP client is making CERN proxy requests, ... 'Selected Protocols' and created a new protocol using Port range ... LocalHost or Internal (if on other server) ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isaserver)