Re: more on Digest Auth

On Wed, 21 Feb 1996, Ned Freed wrote:

> > In my implementation (based on John Franks's), the server expects the
> > returned opaque string to match one it can calculate from the other
> > parameters.  I don't claim to be a security or crypto expert, but I
> > think an adversary would have a hard time predicting what the opaque
> > string should be, because of the compile-time random number, if not the
> > timestamp.
> They don't have to predict it, the server will give it to them any time they
> want it. The WWW-Authenticate response from the server includes the opaque
> string that is supposed to be used in the next access attempt. So all they do
> is take this value, and as long as the nonce value it includes is one that
> they've snooped off the wire and know the digest for, they are all ready for a
> nice little replay attack on the server. The point is that the opaque
> string doesn't have to match the one that was previously used by the client
> since it didn't influence the digest.

I think the opaque in a replay attack does have to match the opaque
which was previously used by the client because the opaque contains a
hashed version of the nonce and the digest includes a hashed version
of the nonce.  So the server checks that the nonce, digest and opaque
in a request are all compatible.  The attacker knows the nonce but
can't compute the digest without the client's password and can't
compute the opaque without the server's secret key.

Of course, the attacker can snoop the client's transmission of nonce,
digest and opaque.  It can then do a replay attack *if* it can spoof
the client IP address.  This means not only convincing the server that
the attack request is coming from the client's address but getting the
server to return the document to the attacker while believing it is
returning the document to the client.  This can only be done while the
timestamp has not expired.

Keep in mind that the URI is also hashed into the digest.  So the replay
attacker can only get the same document which the client got when it
was snooped.  Since this document was not encoded it would be *much*
easier for the attacker just to grab the document in the original snoop.

So yes, a replay attack is possible.  There just isn't much point.  

It is important to keep a little perspective here.  No one has ever
suggested this protocol for banking transactions or for any
transaction which requires encrypted content going either way.  In
particular it cannot be used for any kind of credit card transaction.
The kind of thing it might be useful for is selling subscriptions to
an online database and restricting access to subscribers.  Then if I
manage to snoop on your transactions I would be able to view the
responses to your queries (and I wouldn't need replay to do it), but I
would not be able to make any queries of my own.

With Basic Authentication, on the other hand, once I snoop your
password I can make as many queries as I want and have them all added
to your bill if it is a pay per view service.  It is this kind of thing
which is really the point of Digest Authentication.

John Franks 	Dept of Math. Northwestern University

Received on Wednesday, 21 February 1996 15:38:25 UTC