- From: Paul Leach <paulle@microsoft.com>
- Date: Wed, 21 Feb 96 19:53:24 PST
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Resend -- typo on the WG list name.. ---------- From: Paul Leach To: john@math.nwu.edu Cc: http-wg%cuckoo.hpl.hp.com Subject: Re: more on Digest Auth Date: Wednesday, February 21, 1996 7:52PM John said -- ] I didn't carefully follow your nonce incrementing proposal, but the ] only way I can immediately see to make it useful in preventing replay ] attacks is for the server to keep a data base of used nonces and the ] number of times each has been used. Otherwise the server wouldn't ] know if the nonce had been properly incremented each time. Keeping ] this data would constitute a "very big change" for a large heavily ] loaded server. I posted the 47 lines of code it takes to detect reuse of nonces. The most expensive operation was hashing (not digesting) the username and password. I'll time it tomorrow -- I'll bet it doesn't take more than 20 microsecs on a 100 mhz pentium. So I don't think it's a "very big change". Paul
Received on Wednesday, 21 February 1996 19:47:05 UTC