I have implemented the multistage authentication illustrated below.
brackets ([ and ]) symbolizes a hash
The client has a key and a secret used for authentication. The server has a database table with rows containing a key, salt and a [secret + salt]
Client Server
| |
----------------- key -------------------->|
| |
| |
|<--------- server-nonce -------------------
|<------------ salt ------------------------
| |
| |
------------ key ------------------------->|
------------ client-nonce ---------------->|
--[c-nonce + s-nonce + [secret + salt]] -->|
| |
The server then checks the hash received against its own information.
My concern is that this enables an attacker to get a hold of salt from the server and then produce a rainbow table to hack that account. What are your thoughts on this?
You’re right. If an attacker knows this is how the system works, there is a chance to capture the data and crack. It is not secure.
I don’t understand why you’re going down this route when there are many other systems (SSL, public key authentication, etc) that don’t have these pitfalls.