Comment Re:Use md5 (or something) over the wire (Score 1) 185
How exactly would that help? You could md5 hash a password and a timestamp, and this would at least limit the amount of time that a hashed password could be replayed, but it would not prevent the replay of the password. The nature of a hash is that it isn't something that you decode. It obscures something from view, so that a party on the other end, if it knows the same secret, can verify that you know the secret, without divulging the secret publicly.
But if someone can snoop your hash, they can replay it and pretend they know the secret, without actually knowing it.
This is why a hash protects the secret, but doesn't protect the service from replay attacks, you need encryption also.
A hash is a good idea to be used in concert with encryption because then, even if the encryption is broken, the secret is not exposed. But a hash in itself is not a secure way to assert identity.
But if someone can snoop your hash, they can replay it and pretend they know the secret, without actually knowing it.
This is why a hash protects the secret, but doesn't protect the service from replay attacks, you need encryption also.
A hash is a good idea to be used in concert with encryption because then, even if the encryption is broken, the secret is not exposed. But a hash in itself is not a secure way to assert identity.