Re: Secure basic authentication. Is it possible?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 24 May 2004 15:17:14 +0200 (CEST)

On Mon, 24 May 2004, [koi8-r] "Slivarez![koi8-r] " wrote:

> Thank's for advise, but I need to make something clear to me. Main
> problem with ncsa_auth is SNIFFERS, i.e. simply sniffer can get password
> from TCP packet. Does digest helper allow to encrypt password before
> transmiting it to a proxy (or how it works)?

Digest never transmits the password over the wire. Digest uses secure
one-time hashes on the wire, meaning that even if an attacker sniffs the
wire traffic he can not use what is found, or at worst if the security
level is set low reuse the information to only to login to the proxy for a
short time after it was seen on the wire.

It is still possible to use a dictionary attack on the secure hash to try
to offline guess what the password is, but this requires a significant
amount of CPU time in hash MD5 operations.

Regards
Henrik
Received on Mon May 24 2004 - 07:17:16 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 31 2004 - 12:00:02 MDT