All,
During the IETF50 IPP WG meeting we had some discussions around some of the
security issues that have been discussed earlier on the IPP WG DL.
Here is TXT version of the slides shown for that discussion. They are a bit
short, but hopefully they provide enough information for those of you who
are interested in the subject. This discussion was led by Scott Lawrence.
Carl-Uno
---Scott Lawrence slawrence@virata.com lawrence@agranat.com
Main author of:
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication. RFC 2817 - Upgrading to TLS Within HTTP/1.1
-----
HTTP Digest Authentication Misconceptions
Purposes of the Client Nonce (cnonce)
- Prevent Chosen-Plaintext Attack Attacker spoofing server cannot choose all of the inputs to the authentication hash Incidentally protects against sloppy nonce choices by server - Mutual Authentication The client can check the response digest to verify that the server also knew the shared secret.
------
HTTP Digest Authentication Misconceptions
Message Body Integrity Protection
- NOT algorithm = MD5-sess MD5-sess modifies shared secret usage to permit third party authentication services; has no effect on body integrity - qop=auth-int Provides body integrity protection by incorporating body hash into authentication hash calculations Note that you don't know the authentication status until the end
------
HTTP Digest Authentication Misconceptions
When Can A Server Challenge? Any time it wants to. Why Can A Server Challenge? Any reason it wants to. How Can A Server Distinguish Protection Domains? Modify the realm?
-----
Carl-Uno Manros Manager, Print Services Xerox Architecture Center - Xerox Corporation 701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231 Phone +1-310-333 8273, Fax +1-310-333 5514 Email: manros@cp10.es.xerox.com
This archive was generated by hypermail 2b29 : Wed Apr 04 2001 - 19:15:58 EDT