W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

FW: more on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 21 Feb 96 19:53:24 PST
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960222034515MTP[01.52.00]000000b1-107732
Resend -- typo on the WG list name..
----------
From: Paul Leach
To: john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com
Subject: Re: more on Digest Auth
Date: Wednesday, February 21, 1996 7:52PM

John said --

] I didn't carefully follow your nonce incrementing proposal, but the
] only way I can immediately see to make it useful in preventing replay
] attacks is for the server to keep a data base of used nonces and the
] number of times each has been used.  Otherwise the server wouldn't
] know if the nonce had been properly incremented each time.  Keeping
] this data would constitute a "very big change" for a large heavily
] loaded server.

I posted the 47 lines of code it takes to detect reuse of nonces. The 
most expensive operation was hashing (not digesting) the username and 
password.  I'll time it tomorrow -- I'll bet it doesn't take more than 
20 microsecs on a 100 mhz pentium.

So I don't think it's a "very big change".


Paul
Received on Wednesday, 21 February 1996 19:47:05 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:45 EDT