Experimental implementation of SimpleMD5

An Experimental Implementation of SimpleMD5
-------------------------------------------

Simpmd5 is a server side implementation of the proposed SimpleMD5
authentication method for HTTP.  The current specification for the
proposal can be found at

	http://www.spyglass.com/techreport/simple_aa.txt

This specification describes an addition to the HTTP protocol to
allow authentication in a way that does not send passwords over the
network unencrypted.  It is intended as a replacement for Basic
authentication.  At present no publically available clients support it.

The SimpleMD5 protocol has several important advantages in addition
to transmitting only encrypted passwords.

1. It is simple, maybe even easier to implement than Basic authentication.

2. It is very limited in its goals.  It has no connection with any of
   the competing security protocols (Shen, S-HTTP, SSL).  This means
   clients can introduce it as a replacement for Basic authentication
   only.  No commitment to one of the security protocols is implied and
   it is not necessary to wait for security standards to emerge before
   implementing it.

3. It is flexible.  It allows for added features in the server (see below
   for examples).


Simpmd5 is an experimental implementation of SimpleMD5 intended for
use as an authentication module with the WN http server (see
http://hopf.math.nwu.edu/).  But it can also run as a standalone
program in which case it will do two things: a) generate a server
SimpleMD5 request for authentication or b) consult the enviroment
variable HTTP_AUTHORIZATION, parse a client Authorization line there,
consult a password file and return a string indicating acceptance
or rejection.

This implementation has two interesting features which are not
part of the specification but are made possible by the flexibility of
the proposed method.

1. Timestamps:  The maintainer can set the time period for which
   authentication granted the client is valid.  After this time period
   the client will have to re-authenticate.   The time period can be
   set to any number of seconds (or be unlimited) and is accurate to
   within 1% of the specified value.  The timestamp is encoded in the
  "opaque" header field (see the specification).

2. IP address stamps:  The IP address (or the IP address of the
   client's proxy) is encoded in the "opaque" header field.  This means
   that a replay attack would have to spoof the server with a false
   IP address.

The simpmd5 program is written in C and the source code is available
freely for any use.  You can obtain it from 

	http://hopf.math.nwu.edu/simpmd5.tar



John Franks   john@math.nwu.edu

Received on Saturday, 21 January 1995 17:14:45 UTC