Security of VNC passwords
Scott C. Best
sbest "at" best.com
Sun Jan 29 16:54:01 2006
Heya. When you make a VNC connection, the password you
type is not sent across the wires, not in plaintext, and not
encrypted. Instead, the exchange uses something called "challenge
response". Good description here:
Works mostly like this: the server creates a random number,
encrypts it with the known password, and sends that in a message
to the viewer. Anyone "spying" on the wires sees only randomness.
The viewer receives that message and decrypts the random number
using the password the user provided (ie, typed into the viewer).
It then combines that number with the password, and creates a
"hash" (ie, a one-way function) of the result. It sends that hash
result back to the server. The server then does the same thing:
it combines the random number with the known password, uses the
same hash algorithm, and gets a result. If that result matches
the result sent by the viewer, then the viewer must "know" the
same password. That is, the viewer had a correct "response" to
the server's "challenge".
hope that helps,
> How secure are the VNC passwords in the free version of realVNC?
> By that, I mean the following: I understand that the VNC session itself is
> not encrypted, so that someone could intercept the VNC session. My question
> is: when I _open_ a VNC session by connecting from a client to a server, is
> the password sent in plain text, or is it encrypted? (If it's sent in plain
> text, then it would be a bad idea to advise naive users that it's OK to have
> the VNC password identical to their UNIX account password.)