Re: Some comments on Digest Auth

Ross Patterson (Ross_Patterson@ns.reston.vmd.sterling.com)
Wed, 21 Jan 98 18:05:14 EST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Scott Lawrence: "Re: Minutes of 1/21 editorial teleconference..."
Previous message: David W. Morris: "RE: Some comments on Digest Auth"
Maybe in reply to: Yaron Goland: "Some comments on Digest Auth"

Paul Leach <paulle@microsoft.com> writes:

>>   More important for the current discussion... the standard should not
>>   specify how nonces are constructed.  There are very good reasons for
>>   this:
>>
>>     - Any specified algorithm (no matter how clever) tells an attacker
>>       how the nonce space is limited, thereby weakening the security.
>>
>If it's "limited" to a space of, say, 128 bits, that's adequate to cause
>brute force attacks to take millions of years. Not a problem.  Besides
>which, I carefully said that the nonce _contains_ a time stamp, not that it
>_is_ a timestamp; any server can always include any additional random bits
>that it wants to make the space as big as it would like.

RFC 2069, while suggesting that a good nonce value might involve a timestamp,
does not specify what form a timestamp should take.  I dare say that some of
us will use the System/370 64-bit clock, while others of you will use an
<asctime-date> or even a Triple-DES-encrypted <rfc850-date> with a reading
from the Gita as the key.  All are perfectly valid, and unpredictable from the
spec.  While a particular variety of server may have a limited set of nonces,
the HTTP world will not.  At least, not unless you count Apache's market share
;-)

Ross Patterson
Sterling Software, Inc.
VM Software Division

Next message: Scott Lawrence: "Re: Minutes of 1/21 editorial teleconference..."
Previous message: David W. Morris: "RE: Some comments on Digest Auth"
Maybe in reply to: Yaron Goland: "Some comments on Digest Auth"