Re: HTTP AUTH BASIC monowall.

[Jason <security () brvenik com>]

I do not think that digest over basic is really going to help in the
MITM case either since the attacker that can successfully pull off the
SSL MITM he controls the connection. Digest avoids disclosing the actual
password but it does not necessarily prevent the attacker from changing
it. The attacker can now not only access the system impersonating you
but hijack it from you just as if he had the actual password.

Digest also does not prevent the attacker in this case from presenting
the client with data that produces a reversible or discoverable text
thereby recovering an _effective_ password.


"
   Like Basic Access Authentication, the Digest scheme is based on a
   simple challenge-response paradigm. The Digest scheme challenges
   using a nonce value. A valid response contains a checksum (by
   default, the MD5 checksum) of the username, the password, the given
   nonce value, the HTTP method, and the requested URI. In this way, the
   password is never sent in the clear. Just as with the Basic scheme,
   the username and password must be prearranged in some fashion not
   addressed by this document.
"

The attacker now needs to provide a nonce and wait for the reply. The
ability to control data that will be used in the hash is key to making
it potentially successful. The nonce, username, HTTP method, and URI
will all be known at this point. Now the attacker only needs to find a
hash collision with _any_ password that satisfies the checksum and the
game is again over.

http://www.stachliu.com/collisions.html

New average run time on P4 1.6ghz PC - 45 minutes

I don't think that the attacker needs to actually launch a collision
attack because they have all but one component used in the hash. Now the
attacker only need to launch a dictionary attack against the provided
hash and they likely will find the result.

Given that the attacker controls the connection they can learn the
requisite details by observing normal interaction and producing a
precomputed hash table with the nonce they plan on providing. This could
result in a near real-time compromise of the password when an actual
attack is launched.

A solution that requires another successful MITM is required to add any
real complexity to the equation. The solution must introduce a
computational complexity that removes the precomputed and known text
attack vectors. Any solution that does not is ultimately no better when
considered in the context of a successful MITM. Digest raises the bar a
little more but I do not think it will solve the problem.

Simon Smith wrote:
> Thanks felix!
>
> Felix Lindner wrote:
>
> > Hi,
> >
> > On Thu, 16 Mar 2006 09:48:07 -0500
> > Simon Smith <simon () snosoft com> wrote:
> >  
> >
> > > My first thought was on how to harden the
> > > authentication because the basic auth didn't cut it for me. Thats what I
> > > am looking for ideas for.
> > >    
> >
> > you may be looking for Digest Authentication:
> > http://www.ietf.org/rfc/rfc2617.txt:
> >
> >   "Like Basic, Digest access authentication verifies that both parties
> >   to a communication know a shared secret (a password); unlike Basic,
> >   this verification can be done without sending the password in the
> >   clear, which is Basic's biggest weakness. As with most other
> >   authentication protocols, the greatest sources of risks are usually
> >   found not in the core protocol itself but in policies and procedures
> >   surrounding its use."
> >
> > cheers
> > FX
> >
> >  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/