Loading ...
Sorry, an error occurred while loading the content.

A Proposed Extension to HTTP : SimpleMD5 Access Authentication

Expand Messages
  • David Harrison
    I skimmed the Internet draft for an MD5 simple access authentication mechanism at: http://www.spyglass.com/techreport/simple_aa.txt I have read about SHTTP and
    Message 1 of 2 , Mar 1, 1995
    • 0 Attachment
      I skimmed the Internet draft for an MD5 simple access authentication mechanism
      at:
      http://www.spyglass.com/techreport/simple_aa.txt

      I have read about SHTTP and HTTP, and see both using nonces for the
      authentication step in access control (although SHTTP has some other
      mechanisms as well). Not meaning to be presumptuous, but
      shouldn't the MD5 response field be "<nonce> <password> <resource requested>"
      as oppossed to "<nonce> <password>."

      It seems to me that the "<nonce> <password>" is vulnerable to a man in the
      middle attack. Here's my reasoning:

      1. Alice requests resource R1.
      Mallet simultaneously requests R2 which Alice has access to.
      2. Since these are two separate transactions, the server (or possibly separate
      servers) returns two nonce values N1 and N2 for R1 and R2 respectively.
      3. Provided that the same password protects both resources, Mallet
      can swap N2 for N1.
      4. Mallet intercepts Alice's authorization and swaps response field into
      the authorization for resource R2.
      5. The server returns R2 instead of R1 which is not encrypted
      (since no encryption mechanism has been employed in HTTP), therefore
      Mallet picks up R2 as it goes by on the network.

      In this manner, Mallet can gain access to any resource available to Alice so
      long as the resources are accessed using the same password.

      Perhaps this is a petty problem, but it would be so easy to fix.

      David Harrison
      Computer Science Dept.
      Rensselaer Polytechnic Institute
    • Eric W. Sink
      The Internet-Draft for SimpleMD5 needs another revision to incorporate changes resulting from feedback. The change you mentioned has already been addressed,
      Message 2 of 2 , Mar 1, 1995
      • 0 Attachment
        The Internet-Draft for SimpleMD5 needs another revision to incorporate
        changes resulting from feedback. The change you mentioned has already been
        addressed, we just haven't had time to put out the new draft.

        BTW, it never was a *real* Internet-Draft, since I never submitted it to
        the IETF yet. We will.


        --
        Eric W. Sink, Senior Software Engineer -- eric@...

        http://www.spyglass.com/~eric/home.htm
      Your message has been successfully submitted and would be delivered to recipients shortly.