[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [wss] FW: WS-Security password digest feature - question
> -----Original Message----- > From: de Freitas, John > Sent: Tuesday, December 10, 2002 2:24 PM > To: 'wss-comment@lists.oasis-open.org' > Cc: Mishra, Prateek > Subject: WS-Security password digest feature - question > > Section 6.1.1 of the Web Services Security Core Specification (Working > Draft 04) details the process of using a nonce and creation timestamp to > prevent password replay attacks. The digest is calculated as: > SHA1 [nonce + created + password] > > It would seem that the above hash input requires the WS-Security > implementation to deal with plaintext passwords. To constrast, sections > 3.2.2.2 and 4.13 of RFC 2617 ("HTTP Authentication: Basic and Digest > Access Authentication") require a password hash that can be pre-computed; > the one-time artifacts (nonce, nonce count, etc) are not concatenated with > the plaintext password. Instead, section 3.2.2.2 of RFC2617 states that > the following hash is used as input to HTTP digest authentication: > H[ (username) ":" (realm) ":" password] > > Section 4.13 of the RFC specifies that the above quantity is usually kept > in its own file. That (hashed) quantity is then re-hashed during digest > authentication with the one-time artifacts (nonce, nonce count, etc). > > However, the password digest with nonce feature of the WS-Security core > document seems to require concatenating the one-time inputs (nonce and > created time) to the SHA1 hash function with the plaintext password. This > introduces a significant vulnerability and will be an issue for security > providers who typically do not have access to the plaintext password > (e.g.. only password hashes are persistently stored), and so cannot > compute the hash as specified in 6.1.1. A more secure construction could > be: > password_digest= SHA1[nonce + created + SHA1[password]] > > Regards, > John G. de Freitas > Netegrity
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC