Security, cryptography: Stupid Challenge - Response protocol?

Question

Ok guys just a small game:

I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol:

CLIENT ----------------------------- SERVER

(1)ask for challenge -------------->

(2)    <---------------------------- send SHA1 taken from the time
                                       (this is the challenge)
(3) make SHA1 xor PASSWORD --------> if it's equal to SHA1 xor stored password

(4)    <---------------------------- Grant access

For those who don't know it SHA stands for Secure Hashing Algorithm, a standard algorithm for cryptography.

I hope it's clear. Question is: If I sniff packets 2 and 3 (the "challenge" and the "challenge xor password", I do have the actual password just with another xor between them both!?!? There is other way to implement this kind of protocol??

Answer 1

How about the following:

1. Server sends a random challenge
2. Client sends SHA1 checksum of (challenge+password)
3. Servers compares against SHA1 checksum of (challenge+stored password)

Answer 2

You would be able to reverse engineer the password. You want to send the SHA of the password, not the password itself. Rolling your own security protocols is almost never a good idea. Can you not use SSL or something equivalent?

http://en.wikipedia.org/wiki/Cryptographic_nonce