1. Web Server Design Week 13 Old Dominion University
Department of Computer Science
CS 495/595 Spring 2009
Michael L. Nelson
4/6/09

2. Problems with Basic Authentication
Password sent in clear
Cannot authenticate the server to the client
e.g. “phishing” attacks
uid/passwd may be used at other sites too

3. Digest Authentication
Does:
securely transmit the password
bi-directional authentication
But does not protect the session!!!
“https” uses 1 of:
Transport Layer Security
Secure Socket Layer

4. Replay Attacks Eavesdrop on the unencrypted c/s conversation
With basic, the bad guy has access to all URIs protected with that u/p
With digest:
replay is limited to the resource the bad guy already overheard
the vulnerability “window” is determined by the nonce value
PUT/POST methods need stronger nonce values (e.g., one-time use) and/or qop=auth-int

5. Multiple Authentication Schemes
According to section of RFC 2616 (and section 4.6 of RFC 2617), a single “WWW-Authenticate” header can provide more than 1 challenge
it is up to the client to choose the strongest challenge it understands
(n.b., I’m not sure how to do this with Apache; we will not issue multiple challenges in our project)
RFC 2616, sec :
… User agents are advised to take special care in parsing the WWW-
Authenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of
authentication parameters.

6. Dictionary Attacks
Digest authentication offers no real protection against poorly chosen passwords
grabbing the nonce/response pair(s), eavesdropper can quickly run through a dictionary of common passwords trying to recreate the response
Dictionary = {root,$user,$user$user,reverse($user),Spock, Whorf,Gandalf,eagle,mustang,password, mypassword,123,asdf,fluffy,fido,…}
Make dictionary attacks harder with salt.
# user format = name:realm:md5(name:realm:password)
mln:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08
# user format = name:realm:md5(name:realm:password:salt):salt
mln:Colonial Place:e65c90343b763abb9e442dd03ae79aac:12

7. Man in the Middle
A corrupted proxy (or a “phishing” server) could request your credentials:
basic: now it has your passwd (good for all URIs)
digest: it has authentication for a single URI
The very existence of “basic” is a problem
passwords are often shared among domains, realms, auth methods
client s/w & users have to be smart

8. Chosen Plaintext Attack
MITM attacks (or phishing server) have control of generating the nonce values
knowing the original input makes cryptoanalysis a little bit easier:
“Cribs”
client can counter w/ cnonce, since MITM will not know what the original input was for the cnonce value

9. Batch Bruce Force Attacks
Variation on the plaintext attack: MITM/phisher collects multiple responses from multiple users for the same nonce
Time to find first passwd decreases by the factor of the known nonce/response pairs

10. Precomputed Dictionary Attack
Combination of dictionary + plaintext
Compute a dictionary of (response,passwd) pairs for the known nonce value(s)
Computation can be done in parallel on zombie machines

11. Password Files
Even though the server (Apache) stores passwords in the form of:
user:realm:md5(user:realm:passwd)
if the passwd file is compromised (e.g., filesystem access), then the URIs in that realm are compromised
password does not need to be guessed
treat this passwd file as if the passwds are in the clear (unlike standard unix passwd file)