Authentication between Client and Server

剛才在諗有咩方法唔send password 下可以authenticate

Cilent request Server (Parameters: username)
Server generate a random key, encrypt with user password (plain text / hashed)
Server return the key
Cilent decrypt the password using her password (plain text / hashed)

咁樣大家就會shared 到個secret key
大家溝通就靠secret key
adv:
man in the middle attack: no
replaying attack: no (條random key 會有限時)

disadv:
not practical in http
server may have heavy loading (as key per client)