[secdir] Review of draft-ietf-httpauth-digest-15
"Hilarie Orman" <hilarie@purplestreak.com> Wed, 08 April 2015 23:04 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 311671A9165; Wed, 8 Apr 2015 16:04:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.69
X-Spam-Level:
X-Spam-Status: No, score=-0.69 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_21=0.6, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_NONE=-0.0001, T_FROM_12LTRDOM=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sllM3yRdNq7; Wed, 8 Apr 2015 16:04:29 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B0791A9164; Wed, 8 Apr 2015 16:04:29 -0700 (PDT)
Received: from in01.mta.xmission.com ([166.70.13.51]) by out01.mta.xmission.com with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from <hilarie@purplestreak.com>) id 1Yfz1H-00016e-98; Wed, 08 Apr 2015 17:04:27 -0600
Received: from [72.250.219.84] (helo=sylvester.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <hilarie@purplestreak.com>) id 1Yfz1G-0004AB-C3; Wed, 08 Apr 2015 17:04:27 -0600
Received: from sylvester.rhmr.com (localhost [127.0.0.1]) by sylvester.rhmr.com (8.14.4/8.14.4/Debian-2ubuntu1) with ESMTP id t38N49Pe016520; Wed, 8 Apr 2015 17:04:09 -0600
Received: (from hilarie@localhost) by sylvester.rhmr.com (8.14.4/8.14.4/Submit) id t38N48Ga016518; Wed, 8 Apr 2015 17:04:08 -0600
Date: Wed, 08 Apr 2015 17:04:08 -0600
Message-Id: <201504082304.t38N48Ga016518@sylvester.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
To: iesg@ietf.org
X-XM-AID: U2FsdGVkX19IgXMXHGciIYGgpcTYHcN+
X-SA-Exim-Connect-IP: 72.250.219.84
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ******;iesg@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 484 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 4.2 (0.9%), b_tie_ro: 3.0 (0.6%), parse: 1.03 (0.2%), extract_message_metadata: 6 (1.2%), get_uri_detail_list: 3.1 (0.6%), tests_pri_-1000: 3.8 (0.8%), tests_pri_-950: 1.61 (0.3%), tests_pri_-900: 1.21 (0.3%), tests_pri_-400: 25 (5.1%), check_bayes: 23 (4.7%), b_tokenize: 7 (1.4%), b_tok_get_all: 7 (1.4%), b_comp_prob: 3.2 (0.7%), b_tok_touch_all: 3.3 (0.7%), b_finish: 0.84 (0.2%), tests_pri_0: 433 (89.5%), tests_pri_500: 4.7 (1.0%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/LTEPTsMwfOWAVlppUDGN-6PZaE8>
Cc: draft-ietf-httpauth-digest.all@tools.ietf.org, secdir@ietf.org
Subject: [secdir] Review of draft-ietf-httpauth-digest-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 23:04:30 -0000
Security review of
HTTP Digest Access Authentication
draft-ietf-httpauth-digest-15
Do not be alarmed. I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG. These comments were written primarily
for the benefit of the security area directors. Document editors and
WG chairs should treat these comments just like any other last call
comments.
HTTP authentication can be done via username and password. This
document defines two hash function based methods for sending a binding
between the password, username, and other information. The password
can be verified on a server by checking the hash using the recorded
password and the current information. The method defines the use of
newer hash functions but keeps backwards compatibility with MD5.
"Section 3.1 Overall Operation
....
The security of this protocol is critically dependent on the
randomness of the randomly chosen parameters, such as client and
server nonces. These should be generated by a strong random or
properly seeded pseudorandom source (see [RFC4086])."
The above seems to be something that should go into the noticeably
absent "Security Considerations" section.
Page 5, discussions the "nonce". The "secret-data" is what requires
the high-quality randomness mentioned in section 3.1. This should be
explicitly noted. There should be some guidance on the minimum
acceptable length of the secret-data ... 128 bits seems reasonable to
me. The maximum length should also be specified, and I would
recommend that it be no more than 512 bits at most.
I would further recommend that the secret data be generated explicitly
for digest authentication and not copied from some other random value
used by the server for other security purposes. Further, the
"secret-data" should be changed periodically, not just on server
restart.
"Also, IP address spoofing is not that hard." would be better stated
as "Source IP addresses are no guarantee of end-to-end integrity."
Page 5, "opaque" data string. What is the minimum acceptable length?
16 bytes? Maximum? There should be a maximum.
Page 6
" algorithm
A string indicating a pair of algorithms used to produce the
digest and a checksum. If this is not present it is assumed to be
"MD5".
"
How is "MD5" a pair of algorithms? Is "MD5,MD5" a pair? Or is the
there actually a single algorithm that will be used in two ways (keyed
and unkeyed digest)?
It would be helpful to note that "KD" means "Keyed digest". It would
be better to use HMAC than the concatenation shown.
Rather than "checksum", it would be more appropriate to say "digest"
or "unkeyed digest". E.g, "to produce a keyed digest and an unkeyed
digest."
Page 8, what is the minimum acceptable length for cnonce? Maximum length?
Page 10, "cnounce" should be "cnonce".
I would recommend that the keyed digest be done in the following way:
K = H(password)
C = concatenation of a bunch of non-secret stuff
KD(K, C) = HMAC(K, C) = H(K, H(K, C))
For the H-ness calculations,
C' = unq(username) ":" unq(realm) ":" unq(nonce-prime) ":" unq(cnonce-prime)
A1 = HMAC(K, C')
and then
KD ( A1, C ) = HMAC(A1, C) = H(A2, H(A1, C))
Hilarie
- Re: [secdir] Review of draft-ietf-httpauth-digest… Rifaat Shekh-Yusef
- [secdir] Review of draft-ietf-httpauth-digest-15 Hilarie Orman