Digest and pipelining

If we can rely on requests being delivered in order, then I have a simple
algorithm to do replay prevention with pipelining.

1. The server sends a nonce which is a random number cocatenated with a
timestamp. It sends an "opaque" value (part of) which is a "client ID".
1. The client uses a nonce which is the concatentation of the nonce the
server sent it and a 3 digit count (mod 1000) of the number of requests it
has sent to the server, plus a client chosen random string (this last
prevents dictionary attacks). It sends back the 3 digits plus the client
chosen random string.
2. The server uses (part of) the opaque field to identify the client, and
concatenates the nonce it keeps associated with the opaque field with the
nonce sent by the client to get the complete nonce that it uses to check the
client's request. It keeps a counter of the requests associated with the
client ID; this count and that received from the client must match; after
matching it is incremented by one. The timestamp is checked to make sure it
isn't too old. When it expires, the association between the client ID and
the nonce and count can be discarded.

Can we depend on the requests being in order?

If we can't, then the server would need to keep a (say) 64 bit mask plus a
base count, and check that the count in the request hasn't been seen before;
when the count gets to be 0 mod 32, then the base count gets bumped by 32
and the mask gets shifted right by 32 bits. This would handle requests as
long as they weren't too out of order.
A little harder, but still not really tough. I'd be happy to code it for
inclusion.

Paul

Received on Tuesday, 20 January 1998 17:23:41 UTC