[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Digest Authentication over TLS

To: Frank Siebenlist <frank@dascom.com>
Subject: Re: Digest Authentication over TLS
From: mcs@netscape.com (Mark C Smith)
Date: Tue, 06 Oct 1998 18:16:35 -0700
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Organization: Netscape Communications
References: <361A8DBD.FA4B9DD2@dascom.com>
Resent-date: Tue, 06 Oct 1998 18:16:15 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"aGGIw1.0.W82.T3i6s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Frank Siebenlist wrote:
> 
> Now that a compromise is almost reached about the authentication methods, it's
> maybe a good time to stir things up a bit ;-)
> 
> If Digest/SASL is to be the Mandatory-to-Implement non-plaintext password
> mechanism, why do we need any plaintext password mechanism at all?
> 
> Guess that most will agree that it's not a good idea to send out passwords
> at all, even if they are encrypted going through the SSL channel.
> 
> The idea is to use the same Digest Authentication scheme instead of
> plaintext passwords over TLS as the more secure, heavy-weight authentication
> scheme.

Sending clear text passwords over TLS has some advantages:

1) Servers can store a true, non-reversible one-way hash of just the
password instead of storing the password in the clear or something
nearly equivalent (as required by SASL/Digest).

2) Fewer protocol exchanges are needed.

> Furthermore, if there is that mandatory Digest/SASL implementation, with
> all its algorithms and password-file equivalent table of hashed user info,
> then the additional implementation of a table with plain-text passwords
> does seem double work and maintenance.
> Especially when you will allow users to come in through both mechanisms.
> How are these accounts and passwords synchronized?

This is definitely an issue, but we have a lot of authentication schemes
and not all of them play well together.  If a server stores the clear
text password it can support both clear over TLS and SASL/Digest without
any problem.  If it stores a one-way hash of just the password, that
same value can't be used to support SASL/Digest.  If it stores the MD5
hash of user/realm/password suggested by the SASL/Digest draft, clear
text over TLS will still work since the server can perform the
appropriate check (the hash only includes information the server
presumably knows already).

-- 
Mark Smith
Directory Architect / Netscape Communications Corp.
My words are my own, not my employer's.  Got LDAP?

Follow-Ups:
- Re: Digest Authentication over TLS
  - From: Frank Siebenlist <frank@dascom.com>

References:
- Digest Authentication over TLS
  - From: Frank Siebenlist <frank@dascom.com>

Prev by Date: Re: Compromise Authentication Proposal
Next by Date: Re: Compromise Authentication Proposal
Index(es):
- Chronological
- Thread