[wss] FW: WS-Security password digest feature - question

["Mishra, Prateek" <pmishra@netegrity.com>]

>  -----Original Message-----
> From: 	de Freitas, John  
> Sent:	Tuesday, December 10, 2002 2:24 PM
> To:	'wss-comment@lists.oasis-open.org'
> Cc:	Mishra, Prateek
> Subject:	WS-Security password digest feature - question
> 
> Section 6.1.1 of the Web Services Security Core Specification (Working
> Draft 04) details the process of using a nonce and creation timestamp to
> prevent password replay attacks. The digest is calculated as:
> 	SHA1 [nonce + created + password]
> 
> It would seem that the above hash input requires the WS-Security
> implementation to deal with plaintext passwords. To constrast, sections
> 3.2.2.2 and 4.13 of RFC 2617 ("HTTP Authentication: Basic and Digest
> Access Authentication") require a password hash that can be pre-computed;
> the one-time artifacts (nonce, nonce count, etc) are not concatenated with
> the plaintext password.  Instead, section  3.2.2.2 of RFC2617 states that
> the following hash is used as input to HTTP digest authentication:
> 	H[ (username) ":" (realm) ":" password]
> 
> Section 4.13 of the RFC specifies that the above quantity is usually kept
> in its own file. That (hashed) quantity is then re-hashed during digest
> authentication with the one-time artifacts (nonce, nonce count, etc).    
> 
> However, the password digest with nonce feature of the WS-Security core
> document seems to require concatenating the one-time inputs (nonce and
> created time) to the SHA1 hash function with the plaintext password. This
> introduces a significant vulnerability and will be an issue for security
> providers who typically do not have access to the plaintext password
> (e.g.. only password hashes are persistently stored), and so cannot
> compute the hash as specified in 6.1.1.  A more secure construction could
> be:
> 	password_digest= SHA1[nonce + created + SHA1[password]]
> 
> Regards,
> John G. de Freitas
> Netegrity