Re: HTTP sniffer for Digest Authentication?

[Ivan Ristic <ivanr () webkreator com>]

> However I am not sure how you plan to use this Digest to replay an attack. 

  At this time I am only evaluating advantages of Digest over
  Basic authentication, so I won't be trying any of this in practice.


> Usually the webservers use "nonce" to calculate the MD5 digest for
> digest authentication, which makes replaying an attack, using a
> sniffed digest, virtually impossible. Nonce is different each time
> 401 challenge is issued, thus making the digest different each time.

  That is correct, but there is still a window of opportunity while
  a server-generated nonce remains valid. Nonce lifetime is
  implementation and configuration specific. For example, on Apache
  it defaults to 300 seconds. If I am in position to discover Digest
  hashes as they travel over the wire, each hash would give me
  five minutes authenticated time with the server. Provided there
  are other active users on the server, I can repeat the process for
  as long as I want.

  The point is that if I know what I am doing, Digest authentication has
  few advantages over Basic. But, while Digest won't deter attackers
  who understand HTTP well, it will still serve as a barrier to those
  who have no or little technical skills, but would happily use a
  password sniffer to discover base-64 encoded passwords.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]