Document SimpleMD5 weakness to man-in-the-middle attack from Daniel W. Connolly on 1995-01-11 (ietf-http-wg@w3.org from January to March 1995)

From: Daniel W. Connolly <connolly@hal.com>
Date: Wed, 11 Jan 1995 16:17:19 -0600
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9501112217.AA12157@ulua.hal.com>

I like the SimpleMD5 proposal. The quicker it gets deployed, the better,
the way I see it. I've been reviewing S/Key etc., and they don't have
the right characteristics to get quickly and cheaply deployed.

However... folks should know what they're getting into if they settle
for SimpleMD5: it _is_ subject to the man-in-the-middle attack: I can
do this without even forging/sniffing IP packets:

Mr. BlackHat sees some juicy financial data offered by Dow Jones on a
subscription basis. He posts to some discussion forum where
subscribers of this service hang out: he makes it look like his
message/article is from Dow Jones (easy!), and says:

	We're pleased to
	announce a <a href="http://black.hat.org/steal-juicy-data">replica of
	the Juicy Financial Database</a>.

Some unsuspecting subscribers follow that link, and send requests with
their md5 hashed passwords to the black.hat.org server.

At least with SimpleMD5, Mr. BlackHat hasn't got their password. With
Basic auth, he could re-use the password later. With a subscription
service, that's is no big deal (small loss of revenue for the
provider). But in a pay-per-access setup, it would cause unauthorized
charges for the end user.

So Mr. BlackHat's CGI-bin script forwards the request on to
www.dowjones.com, which serves up the juicy data.  black.hat.org
records the juicy data and passes it back to the subscriber, who never
notices the difference (although he's a little dissapointed in the
performance of the replica :-). BlackHat's CGI script could even
_change_ the request, grab the data he really wants, and report an
error to the end user.

Mr. BlackHat doesn't go completely undetected. The log on
www.dowjones.com _will_ show accesses from black.hat.org. But of
course Mr. BlackHat could operate this scam from prep.ai.mit.edu or
some such machine with zillions of users.


As I say... SimpleMD5 is a _huge_ improvement over Basic
authentication, for very little cost.

But the specification should explicitly call out the man-in-the-middle
as a possible attack in the security considerations section or some such.

The bottom line is that with Basic authentication, the end user's
confidential information is compromised. With SimpleMD5, the end
user's confidential information _stays_ confidential, but the
information provider is not guaranteed the authenticity of requests.

The information providers I know will definitely still go for this,
but they need to know just how much effort is required to crack the
system so they can figure it into their cost model.

Dan

Received on Wednesday, 11 January 1995 14:23:25 UTC