Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 1/03/2012 1:46 p.m., Amos Jeffries wrote:
> On 01.03.2012 13:13, Adrien de Croy wrote:
>> NTLM could be made non-connection-oriented if http auth had some sort
>> of context attribute that identified the auth conversation (in both
>> challenges and responses), instead of having to associate it with the
>> connection.
>
> No. That just makes HTTP connection-oriented at the abstract level of 
> channels. No change to NTLM.

I disagree.  NTLM works even over UDP.

It's just 3 messages.  There's nothing tying it to a TCP connection 
inside the NTLM protocol.

Sure it's a couple more messages than simple challenge response.  
Normally ends in 3 requests and 2 challenges.  But it could be decoupled 
from the TCP connection.  Subsequent request would just need to be able 
to remind the server which auth conversation they relate to - e.g. 
sending back a token (nonce).  This token could then even be timed out 
by the server.

All the server needs to do to poke the next token into the SSPI is 
resolve the auth context.  A simple map of auth-conversation-token to 
SSPI token would take care of that.  Even allow for things like 
impersonation of client if done properly.

These could conceivably be replayed though, but doesn't Digest suffer 
from that?

>
> NTLM would also require dropping the second-stage token exchange 
> through the channel its authenticating. Which is effectively Kerberos, 
> and also a reason behind Kerberos being preferred for implementation 
> instead of NTLM across the WAN.

NTLM is nothing like Kerberos in terms of crypto etc.

Sure, Kerberos has many advantages.  For instance in SOCKS auth, you can 
do a kerberos auth with 1 message from the client.  That I presume is 
because the ticket is obtained out of band.

Adrien

>
> AYJ
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 is released! - http://www.wingate.com/getlatest/

Received on Thursday, 1 March 2012 00:56:22 UTC