-3

i came across this question and have been thinking about it without a final solution. The question is to design a secure telnet. essentially to login using a username and password using telnet. I do not have ssh. The restriction is that i cannot use any public key encryption anywhere in the protocol. My initial thought was that the password will be hashed and sent to the server which has the salted hashes stored. Of course, this is open to man in the middle as attacker can just store the hash sent by the client and replay it. So one solution i was thinking for this was to use a per session nonce which can be "attached" to the password hash and hashed again to be sent over. But now the problem is what is this "nonce" and how to negotiate it between client/server while protecting from mitm ? No public keys allowed, so TLS isn't a possibility

Thanks

user775093
  • 315
  • 1
  • 7

1 Answers1

1

You can deal with your password problem with some variation of challenge-response authentication: done properly, it prevents replay attacks, and since the password itself is never sent, a hostile server or man-in-the-middle can't trick you into revealing it.

The problem you're going to run into is verifying you're connecting to the server you think you are. If you can't use public-key encryption, you presumably can't use any other form of pre-shared secret. That pretty much eliminates every solution I'm aware of.

Mark
  • 34,390
  • 9
  • 85
  • 134