fre 2003-07-11 klockan 15.08 skrev Robert Collins: > We support nonces, but not client nonces. md5-sess requires client nonce > support.
Err.. Squid support client nounces, just not capable of trigger md5-sess HHA1 calculation, and lacks an helper interface for md5-sess HA1 exchanges. > NT Provides Digest for IIS, but under some constraints: > * You MUST have an AD Domain > * You MUST turn on 'store passwords with reversible encryption' in the > AD policies. Rumor is that the IIS must also be a domain controller, but I have not seen this verified. > To enlarge on my other message, this is actually less secure in a funny > way. > > lets compare a hypothetical digest SSO, and a hypothetical basic/ssl SSO Sure, basic over ssl is less secure than Digest, but probably provides a reasonable level for most uses and is a whole lot easier to integrate with existing directory services. > squid creates a nonce, challenges the client. > the client gets the challenge, creates it's own nonce, hands both to the > directory service over its *already existing* secured link, and recieves > back a one-time HHA1 - specific to the two nonces. the client then sends > the calculated digest response using the HHA1. > squid recieves the response, with the new client nonce. squid then > requests a HHA1 to match (user, realm, squid-nonce, client-nonce) from > its connection to the directory service. squid then is able to validate > the response. Correct, except that the nounce creation should be done by the OS/Directory for secure MD5-sess exchanges as outlined in my previous message. If not the system is vulnerable to cryptographic attacks on the MD5-sess exchange. If the OS/Directory can establish full trust on the application/server then nounce creation may be left to the application/server, but I see no valid reason to why do this. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
