CHAP, HMAC, HOTP, TOTP, etc.

After the disclosure of the CSDN password leak last year, many experts jumped out to discuss the programmer of his home, and it was still in the database. After recently linkedin’s incident, how to save your password, this problem is pulled out again. I think that how does the password save and how to transfer online, these two issues cannot be discussed separately. Unless you already have a secure channel, such as SSL, it is still a text.

MySQL has made some improvements to its original CHAP protocol:

StoredHashSha1 (PASSPHRASE)

Replyxor (Passphrase, Sha1 (public_seed, storedhash)

The store is stored on the network is stored, which is stored in public_seed, reply. So if you just get the data in the mysql.user table, there is no original Passphrase, you want to construct reply or difficult. However, I estimate that this algorithm is that the engineer thinks, I have not discussed the safety expert at all, and I have not yet able to get the scrutiny.

Today I installed Google Auticator on my mobile phone, mainly using TOTP’s way of authentication. TOTP is a variant of HOTP, replacing the Counter in Hotp, TOTP TRUNCATE (HMAC-SHA-1 (K, T)). Where K is a key that has been shared between the two sides, and T is the current time divided by the step size (default 30). One advantage to do this with your mobile phone is that K’s distribution can not take the network, but through the QR code.

I am going to take a look at SRP.