IPP Mail Archive: IPP> SEC - Security Issue Discussion in IE

IPP> SEC - Security Issue Discussion in IETF50 IPP WG Meeting in Minn eapolis

From: Manros, Carl-Uno B (cmanros@cp10.es.xerox.com)
Date: Wed Apr 04 2001 - 19:14:27 EDT

  • Next message: Hastings, Tom N: "IPP> Suggested Appendix for Media Names Standard for existing standard s"

    All,

    During the IETF50 IPP WG meeting we had some discussions around some of the
    security issues that have been discussed earlier on the IPP WG DL.

    Here is TXT version of the slides shown for that discussion. They are a bit
    short, but hopefully they provide enough information for those of you who
    are interested in the subject. This discussion was led by Scott Lawrence.

    Carl-Uno

    ---
    

    Scott Lawrence slawrence@virata.com lawrence@agranat.com

    Main author of:

    RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication. RFC 2817 - Upgrading to TLS Within HTTP/1.1

    -----

    HTTP Digest Authentication Misconceptions

    Purposes of the Client Nonce (cnonce)

    - Prevent Chosen-Plaintext Attack Attacker spoofing server cannot choose all of the inputs to the authentication hash Incidentally protects against sloppy nonce choices by server - Mutual Authentication The client can check the response digest to verify that the server also knew the shared secret.

    ------

    HTTP Digest Authentication Misconceptions

    Message Body Integrity Protection

    - NOT algorithm = MD5-sess MD5-sess modifies shared secret usage to permit third party authentication services; has no effect on body integrity - qop=auth-int Provides body integrity protection by incorporating body hash into authentication hash calculations Note that you don't know the authentication status until the end

    ------

    HTTP Digest Authentication Misconceptions

    When Can A Server Challenge? Any time it wants to. Why Can A Server Challenge? Any reason it wants to. How Can A Server Distinguish Protection Domains? Modify the realm?

    -----

    Carl-Uno Manros Manager, Print Services Xerox Architecture Center - Xerox Corporation 701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231 Phone +1-310-333 8273, Fax +1-310-333 5514 Email: manros@cp10.es.xerox.com



    This archive was generated by hypermail 2b29 : Wed Apr 04 2001 - 19:15:58 EDT