rbt at athop1.ath.vt.edu
Mon Oct 10 16:56:30 CEST 2005
On Mon, 2005-10-10 at 07:46 -0700, Paul Rubinhttp: wrote:
> rbt <rbt at athop1.ath.vt.edu> writes:
> > > Instead, for client #i, let that client's key be something like
> > > hmac(your_big_secret, str(i)).digest()
> > > and the client would send #i as part of the string.
> > How is this different from sending a pre-defined string from the client
> > that the server knows the md5 hash of? The clients know the string, the
> > server knows the hash of that string.
> I'm confused, I don't understand what that md5 whatever would do for you.
> I'm assuming the server is secure and the clients are less secure.
> > Also, could this not be done both ways? So that, if an attacker figures
> > out the string he's supposed to send from a client to the server (which
> > he could easily do). He could not easily figure out the string the
> > server should send back as all he would have is the hash of that string.
> I'm still confused
OK, we'll leave it at that and just accept that we're from different
planets ;) Thanks for the help.
More information about the Python-list