Re: potential security holes in digest authorization

According to Alex Hopmann:
> >That helps, but I have a quibble.  I would prefer not to tie the username
> >and password so strongly to a particular realm, because:
> >    1) I might like to change the name of the realm (if only slightly).
> I have to agree with this first quibble quite a bit. In an actual product
> implementation of message digest we have had some issues arrise because if
> the server operator wants to change their realm, their entire user/password
> database suddently becomes inoperative.
> 

The reason that the realm is encoded with the user and password in the
server password file is that people tend to reuse the same password.
If only the username and password are encoded and put in the password
file then the maintainer of server A, knowing H( username:password)
for his server can use this to gain access to those documents on
server B to which username has access.  This is assuming that the user
has the same password on both servers.

It would be nice if every user used a different password for every account
but this is not realistic.  Nothing in the draft addresses the problem of
how the user gets H( user:realm:password) into the server password file.

John Franks

Received on Friday, 14 July 1995 21:43:24 UTC