Re: [http-auth] I-D Action: draft-ietf-httpauth-scram-auth-10.txt
Tony Hansen <tony@att.com> Thu, 19 November 2015 15:53 UTC
Return-Path: <tony@att.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86EB61B2BF4 for <http-auth@ietfa.amsl.com>; Thu, 19 Nov 2015 07:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.262
X-Spam-Level:
X-Spam-Status: No, score=-0.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_BACKHAIR_16=1, KHOP_DYNAMIC=1.004, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uuSppHNyWv5p for <http-auth@ietfa.amsl.com>; Thu, 19 Nov 2015 07:53:15 -0800 (PST)
Received: from mx0b-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8FC1B2BF1 for <http-auth@ietf.org>; Thu, 19 Nov 2015 07:53:15 -0800 (PST)
Received: from pps.filterd (m0049463.ppops.net [127.0.0.1]) by m0049463.ppops.net-00191d01. (8.15.0.59/8.15.0.59) with SMTP id tAJFnQvw043327 for <http-auth@ietf.org>; Thu, 19 Nov 2015 10:53:14 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049463.ppops.net-00191d01. with ESMTP id 1y6qtkdqab-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <http-auth@ietf.org>; Thu, 19 Nov 2015 10:53:13 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id tAJFrDnJ010078 for <http-auth@ietf.org>; Thu, 19 Nov 2015 10:53:13 -0500
Received: from alpi131.aldc.att.com (alpi131.aldc.att.com [130.8.218.69]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id tAJFr3DZ010019 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <http-auth@ietf.org>; Thu, 19 Nov 2015 10:53:06 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi131.aldc.att.com (RSA Interceptor) for <http-auth@ietf.org>; Thu, 19 Nov 2015 15:52:45 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id tAJFqjhn014917 for <http-auth@ietf.org>; Thu, 19 Nov 2015 10:52:45 -0500
Received: from dns.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id tAJFqdWI014601 for <http-auth@ietf.org>; Thu, 19 Nov 2015 10:52:39 -0500
Received: from tonys-macbook-pro.local (unknown[135.110.241.68](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20151119155238gw100dvbkte>; Thu, 19 Nov 2015 15:52:39 +0000
X-Originating-IP: [135.110.241.68]
To: Alexey Melnikov <alexey.melnikov@isode.com>, http-auth@ietf.org
References: <20151119134320.4195.3658.idtracker@ietfa.amsl.com> <564DD2A8.5000805@isode.com>
From: Tony Hansen <tony@att.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <564DF045.6080901@att.com>
Date: Thu, 19 Nov 2015 10:52:37 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <564DD2A8.5000805@isode.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-11-19_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1511190261
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/La_uLeYD1FzTC6tb-zJ_9dKDchI>
Subject: Re: [http-auth] I-D Action: draft-ietf-httpauth-scram-auth-10.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 15:53:16 -0000
On 11/19/15 8:46 AM, Alexey Melnikov wrote: > On 19/11/2015 13:43, internet-drafts@ietf.org wrote: >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-httpauth-scram-auth/ >> >> There's also a htmlized version available at: >> https://tools.ietf.org/html/draft-ietf-httpauth-scram-auth-10 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-httpauth-scram-auth-10 > This version fixes a few typos spotted by people, changes examples > from using "host.com" to "example.com" (thank you Tony) and fixes more > things in examples (again, thank you Tony). I've been thinking about re-authentication and the question about having a counter that changes to make each sr= unique. Unless I'm mistaken, I THINK without it, what is there now could allow replay attacks and MITM attacks. It might be better to make sr= a base64-encoded block that includes both the s-nonce and the i value. The s-nonce would be what was in the earlier response, but uses a higher i= value, such as 4097, 4098, etc. The i value is ALREADY a counter that can be used to make things unique. And this should be easy for both sides to calculate because it can use the earlier result and just do another round of hashing. More nits below. Tony I keep spotting little things s/RFC 3174/RFC 6234/ An the final server response contains data attribute which base64 decodes as follows: to >>And<< the final server response contains >>a<< data attribute which base64 decodes as follows: or preferably >>The<< final server response contains >>a<< data attribute which base64 decodes as follows: I saw another "earlies" that should be "earlier". Note: I >really< dislike www-authenticate's overuse of list syntax and its comma separators.
- [http-auth] I-D Action: draft-ietf-httpauth-scram… internet-drafts
- Re: [http-auth] I-D Action: draft-ietf-httpauth-s… Alexey Melnikov
- Re: [http-auth] I-D Action: draft-ietf-httpauth-s… Tony Hansen
- Re: [http-auth] I-D Action: draft-ietf-httpauth-s… Alexey Melnikov