Re: Searching for a special challenge&response algorithm

Jan Peter Stotz wrote:
> The general idea is as follows:
> When a client connects to a server it has to authenticate itself against
> the server. For preventing brute force attacks against this authentication
> (systematic testing) with one client the server creates a challenge which
> has to be solved by the client. For solving the challenge the client needs
> a bit of CPU power which results in a delay of about a second. The server
> only allows an authentication by the client after successfully solving the
> challenge.

One way would be to require the client to brute force a given number of
bits of a secure hash function. The server would generate a random 10
to 20 bit value, and the client would have to compute a response with
e.g the low bits of the hash value equal to the random value sent by
the server. To prevent an attacker from precomputing a list of
responses with all the random values that the server might send, the
response should be required to include another secure random nonce from
the server and the client's authentication information.

   Ben
Received on Mon May 1 02:06:15 2006