OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: ISSUE[UC-5-01:AuthCProtocol]


This is not challenge response authentication, for the simple reason that
neither the AP or the RP is being authenticated. If you don't like challenge
response I suggest you think of another name, but the exchange you are
talking about does not involve authentication. The AP and RP are exchanging
what they know about the User. The fact this is done in a way that prevents
replay and other attacks does not make it authentication. 

Challenge response authentication is commonly used to refer to an
authentication method wherein the party being authenticted is required to
respond to a challenge by performing some crytptographic operation on a
piece of information whose value cannot be anticipated. Examples of this
include CHAP, MS challenge response and SSL. A major alternative is to use a
time-based protocol, of which Kerberos is an example. 

Hal

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> Sent: Friday, February 09, 2001 12:12 PM
> To: Hal Lockhart; security-use@lists.oasis-open.org
> Subject: Re: ISSUE[UC-5-01:AuthCProtocol]
> 
> 
> Hal,
> 
> > 2) Anders seems to want to persist in using "challenge 
> response" for what I
> > refer to as "credentials negotiation". I believe most 
> people have in mind
> > something like the Microsoft challenge response protocol. 
> Since the term
> > challenge response is firmly imbeded in the literature to 
> refer to the
> > latter, I suggest to Anders that he adopt credentials 
> negotiation or some
> > other descriptive term.
> 
> It may be a little bit more complicated than it looks.  There 
> is indeed something that
> could be referred to as "credentials negotiation" (I don't 
> particularly like this term though).
> But using SSO Push model #2 and [maybe] Shibboleth, the RP 
> sends something
> containing nounces or time-stamps to the AP which signs this 
> data (and a lot
> of other stuff) and sends it back to the RP for use after 
> verification.  The
> nounces/time-stamps are the "Challenge", the signed 
> ticket/credential the "Response".
> 
> As I understand C-R Auth is intended to suppress stale 
> credential data which is what
> this actually does.  If you have another definition, I'm 
> interested to hear more about it.
> 
> Anders
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC