On 13/11/2007, Philippe M. Chiasson <[EMAIL PROTECTED]> wrote:
> The conceptual problem with this approach is that the digest(password)
> effectively becomes the user's password.
>
> If you steal digest(password), you can impersonnate the user, without
> ever knowing password. So, somebody stealin
have you read up on how CHAP (Challenge Handshake Authentication
Protocol) worked
for dialup authentication? IIRC it was designed to allow
secure-enough authentication
over a sniffable channel (modem traffic) at the cost of forcing
plaintext password storage
on the server side.
http://en.wikiped
> That being said -
> i. i'd like to explore Digest Access more, as a replacement for
> CRAM-MD5
a long time ago I thought that you could use the nonce in digest auth to
provide this kind of thing:
http://search.cpan.org/dist/Apache-AuthDigest/Session/Session.pm
fwiw
--Geoff
On Nov 13, 2007, at 3:04 PM, Dodger wrote:
Something doesn't sound right with this assessment. Stealing the
digest(password) wouldn't let you in on a different connection because
you'd be using a different seed on a different connection...
Yes, you're right , as is your example.
However, the
Jonathan Vanasco wrote:
>> But there is a big security whole there if you skip the trip to the
>> server
>> (whether or not you use mod_auth_tkt). In order for the Flash code
>> or JS code to
>> create a ticket using a shared secret that secret needs to be
>> downloaded to the
>> client. No
On Nov 13, 2007 1:57 PM, Jonathan Vanasco <[EMAIL PROTECTED]> wrote:
> client: Hey I want to log in!
> server: Here's a Challenge: $time. $seed . digest ($time . $seed .
> $site_secret )
> client: Here is my username and a hash that is Digest( password ,
> server_challenge )
> server: I looked up y
But there is a big security whole there if you skip the trip to the
server
(whether or not you use mod_auth_tkt). In order for the Flash code
or JS code to
create a ticket using a shared secret that secret needs to be
downloaded to the
client. Now you might be relying on Flash's binary format
Jonathan Vanasco wrote:
>> Sounds an awful lot like mod_auth_tkt to me, or am I missing something?
>
> Its like mod_auth_tkt in design , but not in function
>
> mod_auth_tkt does apache auth via cookies and apache - i need to support
> a non-cookie and non-apache environment
>
> this is meant t
On Nov 13, 2007, at 11:48 AM, Michael Peters wrote:
Why is this considered "ticketless"? Isn't the challenge that you
mention below
really a ticket? And does the client need to present this ticket on
every request?
Yes, you're right - the challenge is a ticket -- and must be
presented on
Jonathan Vanasco wrote:
> I needed to create an authentication system to handle logins to my
> mod_perl app via Flash and JS
>
> My first thought was to use CRAM-MD5 , but there wasn't a way to do that
> without relying on cookies or a db to handle the challenge
>
> What I came up with was a Tick
I needed to create an authentication system to handle logins to my
mod_perl app via Flash and JS
My first thought was to use CRAM-MD5 , but there wasn't a way to do
that without relying on cookies or a db to handle the challenge
What I came up with was a Ticketless CRAM system (that uses md
11 matches
Mail list logo