Reputation: 2339
Is my implementation of one-time password safe enough?
I want to implement a login mechanism for authenticating the administrator of my web app. But since I am not using ssl I cannot rely on user sending his password through an html form.
So I thought about using one-time password (I actually didn't know about this thing, I ended up reinventing the concept and eventually found out such a thing already existed)
All I want is your opinion on how safe my implementation is:
1) Client requests a random and unique hash. The server generates that hash, stores it in a session variable and returns the hash to the client.
2) From that hash the client derives a password using a custom algorithm that is known only by him and the server. That password is sent back to server.
3) Server does the same and check to see if passwords match, if they do the user is authenticated.
Can this be cracked at all?
Upvotes: 0
Views: 215
Answers (1)
Reputation: 33116
"custom algorithm that is known only by him and the server". This is broken by design, since you are relying solely on the algorithm being secret.
It won't be a secret anymore as soon as you distribute the implementation (e.g. as client side JavaScript), let alone any intrinsic weakness in the protocol.
My 2cents: unless you are a crypto expert, never roll out your own solution. Stick with public, sound and proven protocols and only use reputable implementations.
Upvotes: 5
Related Questions
- Is basic access authentication secure?
- How secure is this authentication model?
- Very simple authentication using one-time cookie on nginx
- Is this a secure way to authenticate users?
- One time password security risk
- Is it a good idea to use One-time-passwords for securing REST-Applications?
- Is this simple REST authentication scheme secure?
- Authentication system - is my one secure?
- Is my approach secure for implementing a one-time password in web service security
- one-time-password algorithm (both matematical, time based, and action based)