Hello! They set a topic for RGZ on Information Security - You need to write a program that demonstrates the operation of the authentication method based on an unmounted password. What kind of method is this? Can you tell the sources to familiarize yourself with this method? Thank.

  • What language should I write? - mixerden
  • "Unspeakable" can be using a sniffer. This can be a challenge-answer method, where it is not the password that is transmitted, but the response calculated using the password. - alexlz
  • The answer to the answer is no longer possible to add :( If the key is the same for different sessions, then the reliability of the method after several sessions inspires fear. Well, let it be. Has it already been received, as I understand it? :))) - alexlz
  • Yes, already flaunts in the record book :) Yes, that's right, that fears) If in real life you do for what thread from the system, and take it seriously, then you could think it over ... And so .. of course, here everything was done, but a lot more is needed to launch the system into which thread ... - Leshij_2005

2 answers 2

Your thoughts solved the problem as follows: 1. A window appears in front of the user, on which cells or figures with numerical content are located. 2. Cells contain numbers obtained randomly. 3. Next, the user, knowing the code combination, marks in the window with cells an area in which one of the code symbols, or the entire code, is contained. 4. The program reads the contents of the marked area, and you give the user, either permission to enter, or failure to identify. example

  • I'm afraid the teacher got lost. When the sniffer intercepts the request and the response, the code is restored (possibly partially). With a challenge-answer (and there are many such authentications) it is impossible to unequivocally by (1) one answer (many passwords that give one single answer can be large) (2) it takes a long time to calculate (year, decade, century, ... ) - alexlz
  • Eeee, what do you mean?) Why did I get lost?) - Leshij_2005
  • If I correctly understood the solution, then the code, perhaps partially, is displayed in the request. A framing is randomly formed. The user reports the area where the code or part thereof. By typing a number of requests / responses, you can calculate the code. If unidirectional functions were involved in the formation of the request, so that the code itself was not transmitted, then the chances of its decoding would be lower. - alexlz
  • What do you mean by a request?) If as a connection to a database, then there isn’t it here) Same RGZ) Inside the code, a sequence of characters is set - a key. The user clicks on the area, that is, as you say, reports the area where the code or part of it is contained. But we did it so that despite the fact that the whole of the region can be contained in the program, the program accepts a current one character. Has accepted passed to another and so on. + There is a limit on the number of clicks in the program to exclude the possibility of selecting a key. Here is such a scheme ... - Leshij_2005
  • The query is not to the database, but in terms of "request-response (chell-resp)". If I correctly understood (?) In the request, the key (password) is transmitted in one format or another (possibly as an image). But by fixing the exchange between the user and the system (over the network?), This key can be restored (albeit with the help of a person, that is, not programmatically). This is what I had in mind. I would like to understand if I understood the situation correctly. - alexlz

I dare to suggest that this is a type of authorization in unix-like systems — when you enter a password, it is not displayed on the screen (even asterisks are not displayed). In fact, it looks something like this:

Login: User


Login OK ...