- From: Ned Freed <NED@innosoft.com>
- Date: Tue, 20 Feb 1996 15:00:25 -0800 (PST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: fielding@avron.ICS.UCI.EDU, pjc@trusted.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Based on the comments about Digest when (I thnk it was Larry masinter) > was asked that it be reviewed by the www-security list, and from the brief > description that Peter included in his message, it appears > that APOP authentication does not suffer from the replay > attack that was present in the then current Digest design. The current digest document lets the server choose between allowing old "nonce" values, in which case replay attacks are possible, or generating a new one every time, in which case replay attacks are no longer possible against a single server. There is still some danger, however, in that the only material included under the checksum is the username and password. Should someone elect to use the same password with two different servers there is some possibility that should the nonce value sequences from the two servers overlap there would be some vulnerability to a replay attack of a client's interaction with one server on the other server. This could be easily defeated by using hash values for the nonce sequence rather than a strict ascending sequence as implied by the specification. And POP3's APOP is not necessarily immune from this attack, since there is no mechanism that guarantees that two different servers will generate different sequences of one-time values. I would prefer it if the nonce values in the digest specifications were simply strings and the specification recommended inclusion of server-unique information in the string. But this is a nit and nothing more -- it isn't enough of a deficiency in the digest specification to warrant the addition of APOP as yet another securty scheme. And even if it were, I think the better approach would be to fix the digest specification. Ned
Received on Tuesday, 20 February 1996 15:17:41 UTC