In the world of networking, nothing is 100% secure. Not even SSL can make sure your information is safe from eavesdropping. With simple tools (eg: Cain and Abel), anyone can tap into your network and sniff sensitive information such as your login information and credit card number.
This kind of attack is known as Man-In-The-Middle (MITM) attack. MITM is achieve when the attacker manage to impersonate each endpoint. The attacker can then view the all the traffics between each end point.
In here, I’m going to touch on how to create a better login mechanism to prevent attacker from getting your personal password. Since many of us are using same password for several account eg, bank account and email; it is important that the web applications we are using are able to safeguard this piece of information before it reaches the server.
The diagram above shows the process of sending the password across a network that has been compromised . Do bear in mind that all the information/data send will be visible to the attacker.
When the client request a login page from the server, a login page including a challenge and challenge id will be send to the client. The server will keep a copy of the challenge and challenge id in it’s database. Before sending the username and the password back to the server for authentication, the password will be hash with the challenge on client side and send across the network together with the username and challenge id. After the server receive the username, hash and challenge id, it will use the challenge id to retrieve the challenge and password from it’s database and hash them together and match it with the received hash.
The challenge that is stored on the server can be use once only. Even if it’s not used, the challenge only have a validity of 15 mins.
