3.4 Spoofing by Counterfeit Servers
Basic Authentication is vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that she is connecting to a
host containing information protected by a password she knows, when
in fact she is connecting to a hostile server, then the hostile
server can request a password, store it away for later use, and feign
an error. This type of attack is more difficult with Digest
Authentication -- but the client must know to demand that Digest
authentication be used, perhaps using some of the techniques
described above to counter "man-in-the-middle" attacks.
3.5 Storing passwords
Digest authentication requires that the authenticating agent (usually
the server) store some data derived from the user's name and password
in a "password file" associated with a given realm. Normally this
might contain pairs consisting of username and H(A1), where H(A1) is
the digested value of the username, realm, and password as described
above.
The security implications of this are that if this password file is
compromised, then an attacker gains immediate access to documents on
the server using this realm. Unlike, say a standard UNIX password
file, this information need not be decrypted in order to access
documents in the server realm associated with this file. On the
other hand, decryption, or more likely a brute force attack, would be
necessary to obtain the user's password. This is the reason that the
realm is part of the digested data stored in the password file. It
means that if one digest authentication password file is compromised,
it does not automatically compromise others with the same username
and password (though it does expose them to brute force attack).
There are two important security consequences of this. First the
password file must be protected as if it contained unencrypted
passwords, because for the purpose of accessing documents in its
realm, it effectively does.
RFC 2069 Digest Access Authentication January 1997
A second consequence of this is that the realm string should be
unique among all realms which any single user is likely to use. In
particular a realm string should include the name of the host doing
the authentication. The inability of the client to authenticate the
server is a weakness of Digest Authentication.
3.6 Summary
By modern cryptographic standards Digest Authentication is weak. But
for a large range of purposes it is valuable as a replacement for
Basic Authentication. It remedies many, but not all, weaknesses of
Basic Authentication. Its strength may vary depending on the
implementation. In particular the structure of the nonce (which is
dependent on the server implementation) may affect the ease of
mounting a replay attack. A range of server options is appropriate
since, for example, some implementations may be willing to accept the
server overhead of one-time nonces or digests to eliminate the
possibility of replay while others may satisfied with a nonce like
the one recommended above restricted to a single IP address and with
a limited lifetime.
The bottom line is that *any* compliant implementation will be
relatively weak by cryptographic standards, but *any* compliant
implementation will be far superior to Basic Authentication.
4. Acknowledgments
In addition to the authors, valuable discussion instrumental in
creating this document has come from Peter J. Churchyard, Ned Freed,
and David M. Kristol.
5. References
[1] Berners-Lee, T., Fielding, R., and H. Frystyk,
"Hypertext Transfer Protocol -- HTTP/1.0",
RFC 1945, May 1996.
[2] Berners-Lee, T., Fielding, R., and H. Frystyk,
"Hypertext Transfer Protocol -- HTTP/1.1"
RFC 2068, January 1997.
[3] Rivest, R., "The MD5 Message-Digest Algorithm",
RFC 1321, April 1992.
RFC 2069 Digest Access Authentication January 1997
=9= |
