On Thu, 11 Apr 2002, Shahed Moolji wrote:
I just happened to chance upon these postings, and am interested in knowing where I can find info on the Yahoo challange / response
Well, if we knew where, then this thread wouldn't exist. The purpose of this thread is to generate just such information.
One way of generating a challenge, and I'm guessing is what yahoo does is to use the username, a timestamp and a random number passed through MD5_Update to generate a MD5 hash. This is sent to the client.
The client then has some elaborate algorithm, not too dissimilar from the one use to create MD5 passwords in /etc/shadow. This algorithm hashes the password to generate a new MD5 hash. It probably also hashes the username. Two hashes are sent back which are authenticated by the server.