But it is still much better than CRAM-MD5 used in LDAP [10], POP and IMAP (see RFC2195 [9]). It will be used to replace the weak crisis of four rough basic mechanisms.
Classification authentication only provides encryption protection of the actual password. All other content requested or responded can be listened.
For two-way communication, the classification authentication scheme only provides limited integrity protection. If the QOP = Auth-INT mechanism is used, the part involved in calculating the response indication value in the WWW-authentication and authorization title domain (see section 3.2 above) will be protected. Most of the headings and their values can be modified to become an integral part of an intermediate attack.
Classification identification scheme is not enough to meet many security HTTP transactions. To this end, TLS or SHTTP becomes a more suitable protocol. Classification identification is especially possible to use many transactions that require encrypted protection. Despite this, many functions are still retained, so classification identification can continue to be used. Any existing service to the basic identification scheme should go to the classification authentication scheme according to the actual situation.
4.3 Limited NONCE Values (Limited User Values)
Classification Scheme Use the Nonce value specified by the server to the seed generation request - the REQUEST-Digest value (see 3.2.2.1, " As shown in the 3.2.1 section, the server can be arbitrarily constructed, and it can only be used for the specified customer, the specified resource, limited time period or number of uses and other limits. This will enhance the system protection mechanism, such as resistance to playback attacks (see 4.5). However, it should be seen that the method of selecting or detecting Nonce also has some performance issues and resource consumption. For example, the server can check if the recently issued NONCE is returned by the recording list, and sends a next-Non instruction in each response, so that each Nonce value can only be used once. This measure can resist even the immediate playback attack, but the overhead used to check the Nonce value is also very high, or may even cause the authentication failure of the pipeline request (assuming return Nonce expiration). Similar situations, merge the request specified element, such as the ETAG value of the resource, will also limit the use of nonce in the corresponding version of the resource, resulting in failure of the pipeline. Thus, although this scheme is sometimes very effective, but from performance, it will be unacceptable to the part of this program.
Franks, et al. Standards TRACK [Page 21]
4.4 Comparison of Basic Identification and Classification Division (Comparison of Digest with Basic Authentication)
Both classification identification and basic identification are weak ends of the security system, the significance of the two is to use classification to identify substantially identification when necessary.
The greatest threat to transactions on the network protocol is to listen in networks. These transactions may contain some online access related to trading. Under the basic identification scheme, the annihilator can get the user's password so that he can do anything in the database, and worse, the user uses all resources protected by the same password will be critical.
Corresponding to the above, if you use a classification authentication scheme, the stealing audience can only get access to the transaction, and the user password is not available. The information obtained by the sneak will allow him to make a playback attack, but can only request the same file, and if the server is limited to the Non's option, his request will not succeed.
4.5 Play Attacks
For simple GET requests, there is no significance of implementing playback attacks on classification authentication schemes, because the burring listener has already got the unique file he can get through playback. This is because the URI of the requested file has been classified in the client request, and the server will only pass this specified file. The basic identification scheme is different, and the burring listener will get the user's password to get any files protected by this password. Thus, from some purpose, prevent playback attacks or necessary. A good classification identification can be solved in a variety of ways to solve this problem. The server generates the Nonce value is independent of implementation, but if it contains the customer IP, timestamp, the resource ETAG and private server key (as suggested above), will increase the difficulty of playback attack. The attack must have to let the server believe that the request is from an error IP address, causing the server to send the file to be sent to the idler specified IP instead of the original IP address. The attack is only possible before the timestamp expires. Classifying the client IP and timestamp in Nonce will allow the program to do not have to maintain the status of the transaction.
For applications, if you cannot tolerate a playback attack, you can use a one-time NONCE value of less than 1 second. Of course, this will increase the additional overhead of the server, such as the server to remember the Nonce value before the NONCE timestamp (used to classify) expires, which Nonce values have been used. However, for playback attacks, this method is very effective.
Franks, et al. Standards Track [Page 22]
Implementing a program to prevent a playback attack that may exist, using a POST or PUT request. If the server does not use a one-time or restrictive nonce or (and) with qop = auth-int integrity protection, the attacker can still construct a legal table data (form data) or other message main body. Request for trust information, thereby successfully achieve playback attack. Even with integrity protection, most of the metadata in the title domain is still outside protection. In practice, Nonce is generated correctly, and inspects the provided protection can effectively prevent playback attacks using previously used legitimate trusts. See 4.8.
4.6 Weakness produced by multi-identification scheme (Weakness Schemes)
The HTTP / 1.1 server may return multiple challenges in the 401 (authentication) response message, each questioning can use different auth-schemes. User Agent (Agent) must use the strongest auth-scheme and request trust it understand from this question.
Note that many browsers can only identify the basic authentication scheme and require that the scheme is in the AUTH-Scheme list. Servers provide minimal support, should only include basic authentication schemes.
The security and the weakest identification scheme are not different when the server provides several authentication schemes using the WWW-Authenticate title. See Section 4.8 using a variety of differential discussion on accurate attacks.
4.7 Online Dictionary Attacks (ONLINE Dictionary Attacks)
If the attacker can talk, he can form a nonCE / response pair with a common list of words. This list is much less than all words that may appear in the password. The response is calculated according to each password in the list and can be rewarded at each challenge (challenge).
The server can take action, which is not allowed to use words in the dictionary as a password, which can reduce the danger of this attack.
Franks, et al. Standards TRACK [Page 23] MAN in the middle
Basic identification schemes and classification identification programs are easily attacked by 'middleman' (MAN in the middle, mitm). For example, with hostile or unsafe agents (Proxy). It is possible to say that it is related to all endless problems. Moreover, it provides an attacker with some additional opportunities.
'Intercourse' attacks may start from the weak links in a set of authentication scenarios, and I hope that the client uses exposed user trust (such as password). For this reason, the client should select the most powerful scheme it supported from the options provided as much as possible.
More advanced 'Intermediar' attacks may delete the provided authentication scheme options, replace with a challenge using the basic authentication scheme, so that the user and the original server interacts will use the plaintext to transmit. There is also a more sinister way to use 'free' agency cache services to deceive users.
When used by authentication requests, the user agent (Agent) should consider the scale displayed by its interface, and should be remembered that the user issues an alarm information to the user when the discovery server requires a high level and response is a low level. Another nice idea is to configure the user agent to identify the sub-authentication method, or transfer to other security sites. In addition, hostile agents (Proxy) can also disguise to clients, of course, have certain difficulties compared to the basic identification scheme.
4.9 Choose a plain text attack (Chosen PlainText Attacks)
Under Category Differential Solutions, 'Intermediar' or malicious servers can arbitrarily select customer use to calculate the response Nonce value. This way is called 'selecting a plain text' attack. Choosing known NONCE can make the password analysis easier [8].
In fact, it is impossible to perform one-way analysis of the function of classified by plain text.
The client confronts this attack is that the "CNONCE" indication is required in the configuration; this will allow customers to have a hash change in the way the input value is not specified by the attacker instead of an attacker.
Franks, et al. Standards Track [Page 24]
4.10 Precomput Dictionary Attacks (PRECOMPUTED Dictionary Attacks)
Under the Category Identification Scheme, if the attack can perform a plain text attack, the attack can calculate a dictionary according to the value of the common word in advance, which contains the response-password (response, password) pair. This calculation can be launched in parallel on many machines. Attempts to attempt to the password in the dictionary, the attacker may get a response to a question. Although most passwords in the dictionary may not, there will always be several success. Attacking party in the selection challenge, and calculates the cost of each password response, will eventually reward due to many passwords. A dictionary containing 1 million password / responses may account for 3.2G disk space.
The client guards this attack also uses "connce" instructions.
4.11 Batch violent attacks (Batch Brute Force Attacks)
Under Category Differential Solution, 'Intermediates' can perform plain text attacks and collect responses to the same NONCE from multiple users. With this method, the attack can get all password information that can generate effective nonce / response pairs in the password set. At the same time, this method also reduces the time required to match Nonce / Response to the required time. Such an attack can also be carried out simultaneously on multiple machines, even a single machine can also perform fast password search - already reported that the password consisting of 6 or less characters can be cracked within a few hours. The client's counterfeit policy is to use the "CNONCE" instruction.
4.12 Counterfeit Server Spoof (Spoofing By Counterfeit Servers)
Basic identification schemes are easily attacked by counterfeit servers. When the user firmly believes in the host protected by the basic identification plan, he may not think that he may be connected to the hostile server. The attacker can intercept the password and store it stand up, and pretend to return an error. Under Category Identification, this attack is difficult to achieve, provided that the client must require the use of classification authentication schemes, or use some of the techniques mentioned above to count 'intermediar' attacks. In addition, the authentication mechanism used by the user will also give the user a wake up when this attack is found.
Franks, et al. Standards TRACK [Page 25]
4.13 Storage Password (Storing Passwords)
Classification identification schemes need to identify agents (usually servers) store information related to the username, password to a password file specified by a given Realm parameter. By, it includes a pair consisting of username and h (a1). H (A1) is the result of classifying username, realm, password. See above.
The hidden danger of this mechanism is that once the password file is cracked, the attack can get access to the specified document on this server through this Realm. Unlike the standard UNIX password file, you can access the files related to the server if you do not need to decrypt the server's REALM parameter. On the other hand, decryption or more specifically is that violent attacks are necessary for acquiring user passwords. This is why Realm is used as part of the classified data in a password file. This means that even if a classification authentication password file is decipherous, the username and the password have been cracked by violent attacks, nor will it endanger other files using the same username and password.
There are two important conclusions:
First, if the password is included in the password file, this file must be protected. Because the licensing information required to access the file is in Realm, it is considering it, in fact, this is easy to do.
Second, any Realm parameters used separate users should be unique. In particular, the Realm string should include host names for identifying operations. The weakness of classification identification is that the client cannot authenticate the server.
4.14 Summary (Summary)
From the modern password word, classification authentication is undoubtedly fragile. However, from a certain range, it still has a certain value in replacing basic identification, it can remedy the basic identification scheme from a certain degree (not all). The strength of the classification identification scheme depends on its actual implementation. In particular, the NONCE structure relying on the server is more vulnerable to playback attacks. In this regard, the options provided by most servers are still appropriate, such as using the server party to use a one-time NONCE or classification overhead to prevent possible playback attacks. In addition, information in Nonce can be limited, such as limiting a single IP address, a single ETAG or restrictions of the life cycle of Nonce, etc., to meet the safety requirements.
Franks, et al. Standards Track [Page 26] The limit of password security, or the bottom line is: any (* any *), the application is slightly weak compared to the password standard, but any (* Any *) The application of your own is far more advanced than the basic identification scheme.
5 example implementation (Sample Implementation)
The following code implements H (A1), H (A1), H (A2) of the RESPONSE-Digest, and response-digest, and a test program will be provided to calculate the example of the example in 3.5. The value. It uses MD5 implementation (RFC1321).
File "Digcalc.h":
#define hashlen 16
Typedef char hash [hashlen];
#define hashhexlen 32
Typedef char hashhex [hashhexlen 1];
#define in
#define out
/ * Calculate each HTTP classification H (A1) value, ie Calculate H (A1) AS Per http digest spec * /
Void DigestCalcha1
In char * pszalg, // calculation method: MD5-sess or MD5
In char * pszusername, // username
In Char * Pszrealm, // Realm
In char * pszpassword, // password
In char * psznonce, // Nonce
In char * pszcnonce, // cnonce
Out hashhex sessionkeyKey // session key
);
/ * Calculate the request for each HTTP classification - classification / response - classified value, ie
Calculate Request-Digest / Response-Digest As Per Http Digest Spec * /
Void DigestCalcResponse
In hashhex ha1, / * h (a1) * /
In char * psznonce, / * nonce from server (Nonce from the server) * /
In char * psznoncecount, / * 8 HEX DIGITS (eight 16) * /
In char * pszcnonce, / * Client Nonce (NONCE) * /
In char * pszqop, / * qop-value (QOP value): "" "" "auth", "auth-int" * /
In char * pszmethod, / * method from the request (request method) * /
In Char * Pszdigesturi, / * Requested URL (request URL) * / in Hashhex Hentity, / * h (entity body) if qop = "auth-int" * /
Out hashhex response / * request-digest or response-digest * /
);
File "Digcalc.c":
#include
#include
Franks, et al. Standards TRACK [Page 27]
#include
#include "digcalc.h"
/ * Transfer binary into 16 credit * /
Void Cvthex (in hash bin,
Out hashhex hgra
{
UNSIGNED SHORT I;
UNSIGNED Char J;
For (i = 0; i { J = (BIN [I] >> 4) & 0xF; IF (j <= 9) HEX [i * 2] = (j '0'); Else HEX [i * 2] = (J 'A' - 10); J = bin [i] & 0xf; IF (j <= 9) HEX [i * 2 1] = (j '0'); Else HEX [i * 2 1] = (J 'A' - 10); } HEX [hashhexlen] = '/ 0'; } / * Calculate H (A1), Calculate H (A1) as Per spec * / Void DigestCalcha1 In char * pszalg, // calculation method: MD5-sess or MD5 In char * pszusername, // username In Char * Pszrealm, // Realm In char * pszpassword, // password In char * psznonce, // Nonce In char * pszcnonce, // cnonce Out hashhex sessionkeyKey // session key ) { MD5_CTX MD5CTX; Hash ha1; MD5init (& MD5CTX); Md5Update (& MD5CTX, PSZUSERNAME, STRLEN (PSZuserName); MD5UPDATE (& MD5CTX, ":", 1); Md5Update (& MD5CTX, PszRealm, Strlen (pszrealm); MD5UPDATE (& MD5CTX, ":", 1); MD5UPDATE (& MD5CTX, PSZPassword, Strlen (pszpassword)); MD5Final (HA1, & MD5CTX); IF (stricmp (pszalg, "md5-sess") == 0) {FRANKS, ET Al. Standards Track [Page 28] MD5init (& MD5CTX); MD5UPDATE (& MD5CTX, HA1, Hashlen); MD5UPDATE (& MD5CTX, ":", 1); MD5UPDATE (& MD5CTX, Psznonce, Strlen (psznon)); MD5UPDATE (& MD5CTX, ":", 1); Md5Update (& MD5CTX, Pszcnonce, Strlen (pszcnon)); MD5Final (HA1, & MD5CTX); } Cvthex (ha1, sessionkey); } / * Calculate the request-Digest / Response-Digest * specified by each HTTP. Void DigestCalcResponse In hashhex ha1, / * h (a1) * / In Char * Psznonce, / * Nonce from Server * / In char * psznoncecount, / * 8 hex digits * / In Char * pszcnonce, / * client nonce * / In char * pszqop, / * qop-value: "" "" auth "," auth-int "* / In char * pszmethod, / * method from the request * / In Char * Pszdigesturi, / * Requested URL * / In hashhex hantity, / * h (entity body) if qop = "auth-int" * / Out hashhex response / * request-digest or response-digest * / ) { MD5_CTX MD5CTX; Hash HA2; Hash resphash; Hashhex ha2hex; // Calculate H (A2) MD5init (& MD5CTX); MD5UPDATE (& MD5CTX, PSZMethod, Strlen (Pszmethod)); MD5UPDATE (& MD5CTX, ":", 1); Md5Update (& MD5CTX, Pszdigesturi, Strlen (pszdigesturi); IF (stricmp (pszqop, "auth-int") == 0) { MD5UPDATE (& MD5CTX, ":", 1); MD5UPDATE (& MD5CTX, Hentity, Hashhexlen); } MD5Final (HA2, & MD5CTX); Cvthex (HA2, HA2HEX); // Calculate Response MD5init (& MD5CTX); MD5UPDATE (& MD5CTX, Ha1, Hashhexlen); MD5UPDATE (& MD5CTX, ":", 1); MD5UPDATE (& MD5CTX, Psznonce, Strlen (psznon)); MD5UPDATE (& MD5CTX, ":", 1); if (* pszqop) { Franks, et al. Standards TRACK [Page 29] Md5Update (& MD5CTX, Psznoncecount, Strlen (psznoncecount); MD5UPDATE (& MD5CTX, ":", 1); Md5Update (& MD5CTX, Pszcnonce, Strlen (pszcnon)); MD5UPDATE (& MD5CTX, ":", 1); Md5Update (& MD5CTX, PSZQOP, Strlen (PSZQOP)); MD5UPDATE (& MD5CTX, ":", 1); } MD5UPDATE (& MD5CTX, Ha2hex, Hashhexlen); Md5Final (Resphash, & MD5CTX); Cvthex (Resphash, Response); } File "Digtest.c": #include #include "digcalc.h" Void main (int Argc, char ** argv) { Char * psznonce = "DCD98B7102DD2F0E8B11D0F600BFB0C093"; Char * pszcnonce = "0A4f113b"; Char * pszuser = "mufasa"; Char * pszrealm = "TestRealm@host.com"; Char * pszpass = "Circle of Life"; Char * pszalg = "md5"; Char sznoncecount [9] = "00000001"; Char * pszmethod = "get"; Char * pszqop = "auth"; Char * pszuri = "/dir/index.html"; Hashhex ha1; Hashhex ha2 = "" Hashhex response; DigestCalcha1 (pszalg, pszuser, pszrealm, pszpass, psznonce, pszcnonce, ha1); DigestCalcResponse (ha1, psznonce, sznoncecount, pszcnonce, pszqop, Pszmethod, Pszuri, Ha2, Response Printf ("Response =% S / N", response); } Franks, et al. Standards TRACK [Page 30]