W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: SimpleMD5 quibbles

From: John Franks <john@math.nwu.edu>
Date: Wed, 1 Feb 1995 16:15:08 -0600 (CST)
Message-Id: <9502012215.AA05918@hopf.math.nwu.edu>
To: Dave Kristol <dmk@allegra.att.com>
Cc: www-security@ns2.rutgers.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, eric@allegra.att.com, john@math.nwu.edu, jeff@spyglass.com
According to Dave Kristol:
> 
> I have finally gotten to play with the SimpleMD5 spec. from Spyglass
> and John Franks's toolkit.  I would like to offer these suggestions.
> 
> 1) The password that gets MD5-ed by the client must be stored on the
> server as plaintext, so the server can do MD5(nonce password).  I find
> that to be a problem, since, at least in my environment, many of the
> servers are on Unix machines with shared file systems, and it would be
> relatively easy for someone to find another's password.  I would prefer
> that the password be stored encoded by some function f() (possibly MD5?).
> Then the client would compute MD5(nonce f(passwd)), and the server could
> duplicate the computation, except it would have f(passwd) in its password
> file already.

This is a good idea, but it is important to understand that it doesn't
really protect you the way you might think.  It is still necessary to
protect the password file from being read by any untrusted user.  If
an untrusted user gets the encoded password f(passwd) he can create
MD5(nonce f(passwd)) and access everything the user with passwd is
entitled to.  The reason it is a good idea is that people foolishly
tend to use the same password on many systems so the sysadmin on the
SimpleMD5 system might read the password and guess that the user has
that password on a different system.

It would also be a very good idea to actually encrypt the password in
the password file and decrypt it when checking access.  This may
involve export problems though.  Here is a way one might do it using
only MD5 (which is exportable).  Have a KEY known only to the server
and password management utilities. In the password file store

	username:salt:encrypted_pw
where
	encrypted_pw :=	password xor MD5( username:salt:KEY)

then the server can extract password because it is equal to

	encrypted_pw xor MD5( username:salt:KEY)

The salt must change whenever the user changes password.  Someone
reading the password file cannot decrypt the password without knowing
KEY.  

I don't know how cryptographically sound this is but it should be good
enough for SimpleMD5.  I also am not certain that the fact that SimpleMD5
is exportable would make this exportable.

John Franks
Received on Wednesday, 1 February 1995 14:19:51 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:13 EDT