The hash is not constant. With public key crypto you can implement a challenge r... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Too on Jan 2, 2022 | parent | context | favorite | on: Using HTTP Basic Auth in 2022

The hash is not constant.

With public key crypto you can implement a challenge response. Server generates random garbage, send to client, client signs the garbage using priv key, sends it back as a hash that the server can verify using pub key.

Another version of this is with shared secrets instead of public/private, by replacing the signature with simply HMAC(secret, garbage) and keep rest of flow same as above.

staticassertion on Jan 2, 2022 | [–]

Yeah, once you get to the ZKP approach, which is what you're describing, the benefits are more significant.

u801e on Jan 3, 2022 | [–]

> With public key crypto you can implement a challenge response.

Or just use a client side TLS certificate to authenticate instead of or in addition to the username and password.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact