What are some efficient ways to generate challenge/response for a backdoor entry scheme?
https://stackoverflow.com/questions/1699149
-
18-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We have a system that uses password authentication to access a database, the usernames and encrypted passwords are stored in the database. when a user forgets their password, (or the administrator leaves for greener pastures) we want to be able to generate a new password for the current administrator or generate a new administrator.
We deal with our clients via telephone support. So we want to use this scenario:
user rings up - forgotten password.
client software generates a challenge code based on their site license
user tells phone support staff the challenge code
phone support staff give a response code
user enters challenge and response code, and goes in the backdoor (either new user created or password of current user reset)
We want the challenge/response to only work once, we dont want to leave the backdoor open.
how should we go about it?
Solution
generate challenge code based on both site license and database stored password. With the new password, necessarily the next challenge code will be different. No backdoor.
OTHER TIPS
This is the theory behind PIN calculators and you can get different implementations for it, so that you even don't have to pick up the phone but the client can generate it herself, with a mobile phone for example.
