Re: Suggested extension

Ned Freed <NED@sigurd.innosoft.com> Tue, 01 December 1992 02:04 UTC

Date: Mon, 30 Nov 1992 18:04:57 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Ned Freed <NED@sigurd.innosoft.com>
Subject: Re: Suggested extension
To: stjohns@umd5.umd.edu
Cc: galvin@tis.com, pen@lysator.liu.se, ident@CNRI.Reston.VA.US
Message-id: <01GRRSDUOOVG8Y510G@SIGURD.INNOSOFT.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET="US-ASCII"
Content-transfer-encoding: 7bit

Just because this particular extension doesn't offer much exposure (i.e.
the password doesn't protect anything that important) is no excuse for
deploying another clear-text-password scheme on the Internet. Such schemes
should be carefully limited to the essential cases, since fixing them
later is quite costly.

An alternative proposal: Instead of sending the password, send a hash value.
Specifically, take the password-in-clear plus the entire text of the query
and run it through a good hash function like MD5. Take the output of this
function and send that along with the query. This eliminates exposure of the
clear text password and limits a network sniffer to repeating old queries.
(It presumably already saw the answers to these queries.) If you want a
bit more security, put a time value in there and hash it too -- this can be
used to limit queries to a small time regime.

I do agree that this should only get done in the next revision of the document.
But if it gets done at all I think a hash function is the right way to go
about it.

				Ned

Suggested extension Peter Eriksson
Re: Suggested extension Peter Eriksson
Re: Suggested extension James M Galvin
Re: Suggested extension Peter Eriksson
Re: Suggested extension Mike StJohns
Re: Suggested extension Peter Eriksson
Re: Suggested extension Ned Freed
Re: Suggested extension Peter Eriksson