Re: Digest mess from Ben Laurie on 1998-01-06 (ietf-http-wg@w3.org from January to March 1998)

From: Ben Laurie <ben@algroup.co.uk>
Date: Tue, 06 Jan 1998 21:25:19 +0000
To: John Franks <john@math.nwu.edu>
Cc: Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <34B2A13F.3F82A661@algroup.co.uk>

John Franks wrote:
> 
> On Tue, 6 Jan 1998, Ben Laurie wrote:
> 
> >
> > The Apache implementation is already marked as not suitable for serious
> > use, because of the server's vulnerability to a replay.
> 
> I don't understand.  The Apache implementation only authenicates a client
> to the server.  This works.  There is no possibility of replay unless
> the server re-uses nonces (which I can't believe any implementation
> would do).

How does the server know the client has responded with the nonce the
server sent? This requires a pile of mechanisms Apache hasn't got, or
some way of recreating the same nonce.

> Going the other direction, the base digest mechanism (as implemented
> in Apache) does not authenticate a server to a client.  It is just
> like Basic in that respect.  Since there is no authentication there
> can be no attack, replay or otherwise.

Eh? The attack in Basic is "snarf the password and then use it for your
own evil purposes". The equivalent attack in Digest is "snarf the nonce
and the hashed password+nonce and use it for your own evil purposes".
That is a replay attack. The defence is to know that the nonce is a dud.
The question is, how?

> 
> The base digest authentication is a replacement for Basic, but without
> passwords in the clear.  Apache presumably does that fine.  This is a
> "serious use".  There are, of course, other "serious uses" which it
> does not implement and this will always be the case.
> 
> >
> > Actually, if we could insist that the digest authed request was in the
> > same keptalive session as the original request, that'd help a lot...
> >
> 
> Why?  Are you saying that once Apache has received valid credentials
> for one request it allows access for (some) other requests in the same
> keep-alive session which don't have credentials?  Surely, that can't
> be true.

No, not at all. What I meant is that if we can insist that a Digest auth
comes in on the same connection as the nonce was sent on, it makes it
much easier to keep track of nonces.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Received on Tuesday, 6 January 1998 13:31:26 UTC