Is this HTTPS authentication protocol secure?

Question

We are currently designing a smartphone application that needs an authentication protocol. We will use HTTPS for all the messages. The idea is the following :

1. The client contacts the server and authenticates himself with his user/password combination.
2. The servers replies with a ramdom-generated token that is stored in the database.
3. To contact the server the client now uses his/her user/token combination.
4. In each message he sends, the server has a certain probability to regenerate a new token that it includes in the message it sends.

The question is : will we have security issues using this protocol ?

Note : passwords and tokens are stored hashed in the database.

Answer 1

The security bases on the certificate you use for encryption. In general this is enough, you may also check if it is the expected certificate. In the case that you check yourself the fingerprint of the certificate you can be sure (if you use sha1 or better) that the certificate is from you and not a successful man in the middle attack. E.g. the NSA could simple create valid certificates for your domain, but AFIK it is impossible to generate a second certficate with the same fingerprint.

By the way I hope that the passwords and tokes are also salted. That is important so it is impossible to see that two customers uses the same password and also it increases the complexity of the hash, that means that it will take much more time to crack such a password with a rainbow table.