In case of no TLS/SSL available, why can't I use the hash of the password (SHA512) as the key to encrypt the password (with out any salt) to send through the network ? MITM attacks I can understand, but what are the other possible attacks ?
Asked
Active
Viewed 799 times
-1
-
What would this solve? That makes the hashed-encrypted password string *the new password*, which a MITM can intercept and reuse. What "network" scenario exactly are you thinking about here? – deceze Nov 26 '13 at 13:40
-
I'm just exploring the options. – user34694 Nov 26 '13 at 13:48
-
Is this a webapplication or an application with a full client? For web-apps there is no way around SSL. For client applications the only way around SSL is reinventing SSL. Personally I prefer reinventing it, but that choice is not for the faint of heart. => Use SSL – CodesInChaos Nov 26 '13 at 14:07
1 Answers
5
SSL's only purpose is to stop Man in the middle from happening. Not having SSL/TLS just means you can't have:
- Confidentiality
- Integrity
Furthermore the password is just a token used for authentication, it's not required to have the actual password if the access token is the hash. You can perform a repeater/replay attack if you can sniff the hash from the network and provide it to your application to authenticate to your service.
An example for such an attack can be found in Windows. It's called the pass-the-hash attack.
Lucas Kauffman
- 54,229
- 17
- 113
- 196