[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Compound authentication "issue"

To: "Nystrom, Magnus" <magnus@xxxxxxxxxxxxxxx>
Subject: Re: Compound authentication "issue"
From: Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>
Date: Fri, 29 Nov 2002 11:21:09 +0000
Cc: Lawrence Greenfield <leg+@xxxxxxxxxxxxxx>, ietf-sacred <ietf-sacred@xxxxxxx>
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Organization: Baltimore Technologies Ltd.
References: <>
Reply-to: stephen.farrell@xxxxxxxxxxxx
Sender: owner-ietf-sacred@xxxxxxxxxxxx


Great. Since you guys clearly understand this better, can you provide me
with the said text?

Thanks,
Stephen.

"Nystrom, Magnus" wrote:
> 
> I believe you are right Lawrence. In essence, the client's response is a
> keyed hash of a string of which the digest-uri-value is a part. Since the
> MITM cannot influence that part, the "sacred" serv-type won't be present
> when a MITM is active and the true SACRED server won't therefore accept
> the response (it must not mechanically take the client-provided cleartext
> digest-uri-value and use that when calculating its version of the response
> though, but also check that the serv-type IS "sacred" and the name is its
> own).
> 
> Assuming this holds I agree, some text in the Security Considerations
> section seems to be sufficient.
> 
> Thanks,
> -- Magnus
> 
> On Wed, 27 Nov 2002, Lawrence Greenfield wrote:
> 
> >
> > Upon further consideration, isn't the man-in-the-middle attack
> > thwarted by the inclusion of "digest-uri-value" in the hash?
> >
> > The DIGEST-MD5 client hash includes a client-selected
> > "digest-uri-value" which in sacred's case will be "sacred/<host>". In
> > a MITM attack, those values will be something else.
> >
> > A MITM attack as described in the WG meeting is thwarted because
> > digest-uri-value wouldn't match what the sacred server is expecting.
> >
> > If it would make people feel better, we can mention this safeguard in
> > the security considerations section.
> >
> > Larry
> >

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com

Follow-Ups:
- Re: Compound authentication "issue"
  - From: Dale Gustafson

References:
- Re: Compound authentication "issue"
  - From: Nystrom, Magnus

Prev by Date: Re: Compound authentication "issue"
Next by Date: Re: Compound authentication "issue"
Previous by thread: Re: Compound authentication "issue"
Next by thread: Re: Compound authentication "issue"
Index(es):
- Date
- Thread