W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Digest Auth defending against replay

From: Paul Leach <paulle@microsoft.com>
Date: Mon, 26 Feb 96 18:43:46 PST
To: hallam@w3.org, john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960227023659MTP[01.52.00]000000b1-115752
I think Phil's trick is very clever too. Applying this idea to the 
current controversy, it gives me an idea.

I would be happy to get rid of the explicit sequence number from the 
nonce in favor of something that seems like it is the combination 
Phil's idea, your draft and my suggestions.

It's like "one-time responses", but with a way to compress the storage 
that remembers all the previous responses. The client never generates 
the same response twice; it makes the responses vary by XORing in some 
bit string that the server can predict. Thus, the server just needs to 
duplicate the client's munging of the
nonce by updating its prediction of the client's bit string each time 
it receives a request, instead of storing all of the clients previous 
responses.

I'm happy to accept  any form of the predictable bit string generator 
that others find acceptable (as long as it's not a constant... :-)

Use of this technique  can be *completely* optional, as long as there 
is agreement on what the predictable bit string generating function is 
among those using the option.

] ... I worry a little about
] generating a whole sequences of digests on data which has a byte
] incremented each time.  Does anyone know if MD5 is vulnerable given
] this kind of data?

This is a VERY good question.  Actually, I've never even heard anyone say
what the issues are of making a ton of digested "secret concatenated 
with known plaintext" material available to an attacker trying to 
discover the secret.

Note that a server can limit the amount of either kind of material 
available to an attacker by simply refusing to accept more than N 
Authorization: headers based on a single base nonce. In terms of the 
latest draft, it can vary the "private key" every N times and reissue a 
challenge (with "stale=true").

Paul
Received on Monday, 26 February 1996 18:41:36 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:46 EDT