On Thu, 20 Dec 2018, Odhiambo Washington wrote:
At the expense of sounding stupid, could you please expound on the sequence? :)
In a nutshell, during protocol handshake, the server gives the client a random string (nonce). Both the server and client performs a cryptographic hash of nonce+password, and the client tells the server the result of the hash, and the server compares the client's result with its own. If the results match, it proves the client has knowledge of the password.
The strength relies upon cryptographics hashes not being invertible. It's one way of protecting password from sniffing when you can't use SSL. However, there's many weaknesses: the password must be kept on the server in plaintext, offline brute forcing, etc.
Joseph Tam <jtam.home@gmail.com>