IPP> SEC - Security Issue Discussion in IETF50 IPP WG Meeting in Minn eapolis

IPP> SEC - Security Issue Discussion in IETF50 IPP WG Meeting in Minn eapolis

Manros, Carl-Uno B cmanros at cp10.es.xerox.com
Wed Apr 4 19:14:27 EDT 2001


All,

During the IETF50 IPP WG meeting we had some discussions around some of the
security issues that have been discussed earlier on the IPP WG DL.

Here is TXT version of the slides shown for that discussion. They are a bit
short, but hopefully they provide enough information for those of you who
are interested in the subject. This discussion was led by Scott Lawrence.

Carl-Uno

---

Scott Lawrence
slawrence at virata.com
lawrence at agranat.com

Main author of:

  RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication. 
  RFC 2817 - Upgrading to TLS Within HTTP/1.1

----- 

HTTP Digest Authentication Misconceptions

Purposes of the Client Nonce (cnonce)

  - Prevent Chosen-Plaintext Attack 
  	Attacker spoofing server cannot choose all of the inputs to the
authentication 
  	hash
  	Incidentally protects against sloppy nonce choices by server
  - Mutual Authentication 
  	The client can check the response digest to verify that the server
also knew 
 	the shared secret.

------

HTTP Digest Authentication Misconceptions

Message Body Integrity Protection

  - NOT algorithm = MD5-sess 
  	MD5-sess modifies shared secret usage to permit third party
authentication 
  	services;
  	has no effect on body integrity
 
  - qop=auth-int 
  	Provides body integrity protection by incorporating body hash into 
  	authentication hash calculations
  	Note that you don't know the authentication status until the end

------

HTTP Digest Authentication Misconceptions

  When Can A Server Challenge? 
  	Any time it wants to. 
  
  Why Can A Server Challenge? 
  	Any reason it wants to. 
  
  How Can A Server Distinguish Protection Domains? 
  	Modify the realm? 

-----

Carl-Uno Manros
Manager, Print Services
Xerox Architecture Center - Xerox Corporation
701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231
Phone +1-310-333 8273, Fax +1-310-333 5514
Email: manros at cp10.es.xerox.com 




More information about the Ipp mailing list