Hacker News new | ask | show | jobs
by izakage 5023 days ago
The server sends a challenge to the client. The client computes response = f(challenge, password), and sends the response. Then the server compares the response with its own computation of f(challenge, password). Since f is some type of hash function, we can assume that the client knew the actual password, as it would have been too hard computationally to come up with the correct response without it.

In such a scheme, the keychain can do the computation and the password never leaves the keychain. We can even go as far as to have the keychain be separate hardware (eg USB dongle), so the password never even has to exist on the client's computer at all.
2 comments
dave1010uk 5023 days ago
I believe you are describing the <keygen> HTML element.

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen

link
tjoff 5022 days ago
Okay, so my phone? My, at work, workstation?

How about borrowing a friends computer? If you suggest that I'd bring a USB-dongle for that we live in different universes.

link
izakage 5022 days ago
I was simply trying to clarify the challenge-response mechanism for the parent poster, not suggesting you use keychain dongles everywhere.

Regardless, the idea that the plaintext password doesn't have to leave the device (whether the device is a dongle, your phone, or the keychain application) is a valuable consequence of the challenge-response mechanism, and I wish support for it were more widespread.

link
tjoff 5022 days ago
The reason for why it isn't widespread is because you also have to spread it across all your devices. Which is neither secure nor usable enough for the mainstream today.

Unless that is solved it isn't a solution worth considering.

link
Someone 5022 days ago
Not worth considering as a 'fits all' solution, yes, but it still is worth considering for specialized cases; in general, those cases where the added inconenience is worth the added security. For example, some banks use effectively this for logging in to your online account. And that can be made to work with any device with a display and a keyboard:

  - computer shows challenge#

  - user types challenge# on bank supplied device

  - bank supplied device shows response

  - user types response on computer
link
nitrogen 5022 days ago
Blizzard uses a challenge-response system called SRP for Battle.net. That's fairly mainstream.

You have to enter your password into all your devices anyway, so why not use challenge and response?

link