What are some efficient ways to generate challenge/response for a backdoor entry scheme?
We have a system that uses password authentication to access a database, the usernames and encrypted passwords are stored in the database. when a user forgets their password, (or the administrator leaves for greener pastures) we want to be able to generate a new password for the current administrator or generate a new administrator.
We deal with our clients via telephone support. So we want to use this scenario:
user rings up - forgotten password.
client software gen开发者_JS百科erates a challenge code based on their site license
user tells phone support staff the challenge code
phone support staff give a response code
user enters challenge and response code, and goes in the backdoor (either new user created or password of current user reset)
We want the challenge/response to only work once, we dont want to leave the backdoor open.
how should we go about it?
RFC4226, HTOP
This is the theory behind PIN calculators and you can get different implementations for it, so that you even don't have to pick up the phone but the client can generate it herself, with a mobile phone for example.
generate challenge code based on both site license and database stored password. With the new password, necessarily the next challenge code will be different. No backdoor.
精彩评论