Re: Some comments on Digest Auth

Dave Kristol wrote:
> Yaron Goland <> wrote:
>   > ASSUMPTION: Avoiding replay attacks is important enough to most implementers
>   > that either the standard will require or implementers will voluntarily
>   > refuse to accept the same nonce twice.
>   >
>   > GOAL OF THIS MESSAGE: To demonstrates that the current digest auth
>   > mechanism, from the point of view of performance in situations where we wish
>   > to prevent replay attacks, is unacceptably sub-optimal.
> Ah, excellent that you set those forth, because I disagree with the
> assumption.
> The purpose of Digest is to replace Basic, with its cleartext
> passwords.  Basic is already subject to replay attacks.  Digest should
> be no more susceptible, and it isn't more susceptible.  By clever
> choice of time-limited nonces, it can easily be less so.  But it isn't
> perfect.  We've known that for a long time.

Agreed. Another way of saying much the same thing is that HTTP is
stateless by design. Strictly avoiding the reuse of nonces makes it
stateful (at least, I can't see a way of doing it that doesn't).
However, we can get a very similar effect by time-limiting nonces,
without changing the nature of HTTP.

> So let me hark back to the discussion of a few weeks ago.  Let's not
> try to make Digest do something it was not intended to do.  Let's
> hold replay-proof Digest for digest-ng discussions.

Exactly. Also remember that for those cases where Digest is
insufficient, there is always SSL/TLS.



Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|
and Technical Director|Email: |Apache-SSL author
A.L. Digital Ltd,     |
London, England.      |"Apache: TDG"

Received on Monday, 19 January 1998 11:44:00 UTC