I am in the process of developing a custom tcp / ip protocol for mobile client-server communications. When this is not required (data is not sensitive), I would like to avoid using SSL for overhead (both with delayed acknowledgment and while saving cycles).
My question is, what is the best practice for transmitting authentication information over an unencrypted connection?
I currently like SRP or J-PAKE (they generate secure session tokens, hash / salt friendly and allow you to kick TLS if necessary), which I suppose are implemented in OpenSSL. However, I am a little wary, as I don’t see many people use these algorithms for this purpose. Pointers to any materials discussing this topic as a whole will also be appreciated, as I had problems with the search.
Edit
Perhaps the question should have been: is there a best practices approach for secure passwords over unencrypted tcp / ip? If not, what are the reasons for choosing a particular method over others? (The answer to Rooks is the closest to this question so far, even if it violates the letter).
Change, part of deux
First of all, I am interested in authentication on a client-server server, where there is an expectation that both parties have a common secret (password) a priori.
source
share