W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: more on Digest Auth

From: John Franks <john@math.nwu.edu>
Date: Wed, 21 Feb 1996 17:46:14 -0600 (CST)
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960221174004.9736D-100000@hopf.math.nwu.edu>
On Wed, 21 Feb 1996, Paul Leach wrote:
> 
> If the client doesn't change the nonce each time, there's no replay 
> protection without a challenge each time.  So,  the third part  of the 
> suggestion is to make the last 32 bits of the nonce not be opaque.
> 
> Does that help?
> 

Yes, now I understand what you are saying.  But I hope you understand
my point that replay attacks are usually pointless in this protocol.
If I can get the digest necessary for a replay attack, I can also get
the document by the same method.  The replay could only get me the
same document again because the URI is hashed in the digest.

If the documents change frequently so that a later request for the
same URI would give a new document then timestamps are indicated.
At least the implementations done by Dave Kristol and the one done
by me provide for this.


John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu
Received on Wednesday, 21 February 1996 15:48:38 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:45 EDT