Re: No More Passwords In The Clear in HTTP!

Daniel W. Woycke (woycke@mitre.org)
Tue, 10 Jan 1995 14:31:13 +0100


Well, Dan,

>>To: Brian Behlendorf <brian@wired.com>
>>Cc: www-talk@info.cern.ch, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>Subject: Re: No More Passwords In The Clear in HTTP!
>>Date: Mon, 09 Jan 1995 16:11:50 -0600
>>From: "Daniel W. Connolly" <connolly@hal.com>
>>Sender: http-wg-request@cuckoo.hpl.hp.com
>>X-Mdf: Mail for lorrayne sent to lorrayne@smiley.mitre.org
>>
>>In message <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>,
>>Brian Behl
>>endorf writes:
>>> Brian
>>>
>>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>>>brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/
>>
>>Yikes! Jinks! I asked for a reference to s-key in my p.s.
>>Brian replies to other issues, but includes the address of
>>his home-page.
>>
>>Dan wastes a little time surfing Brian's home-page, and subconsiously
>>follows these links...
>>
>>http://www.hotwired.com/Staff/brian/
>>http://www.hotwired.com/Staff/brian/links.html
>>http://www.ccs.neu.edu/home/thigpen/index.html
>>http://www.ccs.neu.edu/home/thigpen/html/interests.html
>>http://www.ccs.neu.edu/home/thigpen/html/security.html
>>
>>Which has a handy reference to the S/Key paper from bellcore:
>>http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps
>>
>>
>>After reading the S/Key paper, I think we should consider it in place
>>of the simple challenge/response system.
>>
>>Advantages of S/Key:
>>
>> * passwords are _not_ stored on the server side in clear
>> form.
>> * user can securely use the same password at different sites
>> * password can be changed without sending it over the net
>>
Another advantage is that the user could enter their password at the client
for this session. The client stores it in memory (hopefully will never
write it out somewhere, perhaps store it encrypted so that when it dumps
core the password isn't in the core file.)

Everytime the user logs into a new WWW server the authentication could take
place without the user knowing it.

>>Drawbacks:
>> * server-side passwd database is not read-only: server must
>> update the user's count of logins each time
>> * doesn't support the opaque="..." feature of the spyglass proposal
>>
>>Dan
>>
>>
The big drawbacks are a) keeping a database up to date on all of those
servers would be horrible and b) just like any other WWW implementation of
authentication, each connection would be authenticated, each little
picture, each set of text. Since the idea is to make it invisible to the
user, the user would not have to enter X number of S/Key responces, but the
client server interaction would be slowed down significantly by the MD4
calculations that need to be done, and the packet exchange for each WWW
connection.

Thank You,

Daniel W. Woycke |"I went out drinking with Thomas
Information Engineer (c) 1992|Paine..." -- Billy Bragg
The MITRE Corporation |"But I am still thirsty..."
7525 Colshire Drive (MS Z213)|-- Arrested Development
McLean, VA 22102 |These opinions are mine and are not
woycke@smiley.mitre.org |and will not be held by anyone else.