I am working with several other people in writing software which requires authentication before it accesses resources. In order to authenticate, we devised the following strategy.
- Client sends a SHA1 of a username to the server
- Server responds with a user's unique ID, which is a public key in an RSA key-pair
- Client creates a SHA256 hash of a user's login details, and encrypts it using the unique ID.
- If the hash matches the hash of a user's login details, the server responds with a specific value, and records the timestamp of the moment the response was sent.
- The client responds by encrypting the timestamp at the time it receives confirmation, and sends it to the server.
- If the timestamp sent by the client is within x seconds of the server's recorded timestamp, the server considers the client authenticated.
Currently, the client-server communication will take place using SSL/TLS over TCP.
My question is as follows: Is this method secure enough and, if not, what can be done to improve it?