RE: Some comments on Digest Auth

On Tue, 20 Jan 1998, Paul Leach wrote:


> If Digest can be replayed, then it has the property of plaintext
> that we're trying to get rid of, and so we will have accomplished nothing.
> NOTHING!
> 

This is not right.  No one is advocating this, but even if each server
used only *one* publicly available nonce for all transactions
(different nonces for different servers) we would have accomplished quite
a lot.

Replay attacks on different servers or with different types of service
would not be possible.  Think of a user who chooses the same password
for his SSL/password protected bank account services and for
registration to a Web chat site.  With Basic on the chat site a MITM
gets access to this guy's bank account with digest he doesn't.

In fact a replay attack would only be good for updated versions of
a document the MITM had already seen.  This is an important base
and we need to keep it in mind as something already accomplished.
But we can certainly do better.

Right now we are wrestling with some competing requirements.
Let's list our goals:

1) Minimize or eliminate replay attacks on updated documents.

2) Preserve the benefits of pipelining.

3) Preserve the statelessness of servers (but state in the nonce is ok).

The order of importance for these goals might vary for different 
applications.  That is why I would like to leave a lot to the 
discretion of the implementor.  As Yaron says we should maximize
the server's flexibility.

It seems to me that a server which embeds a short lived timestamp and
a server secret (but nothing else) in the nonce does pretty well on these
goals.  It is not perfect, but it satisfies 2), and 3).  And it leaves
only a small window for replay attacks on updates.

Note, however, that we can't require a timestamp in the nonce because
some servers don't have clocks.

John Franks
john@math.nwu.edu

Received on Wednesday, 21 January 1998 07:08:11 UTC