[2917] in WWW Security List Archive
Re: S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (Evil Pete)
Wed Sep 11 02:18:22 1996
To: LAI CHACK AN ITSC NCS <calai@ncspo3.ncs.com.sg>
cc: www-security@ns2.rutgers.edu
From: Evil Pete <shipley@dis.org>
In-reply-to: Your message of Wed, 11 Sep 1996 09:22:00 -0700.
<3236EE58@ncsgw.ncs.com.sg>
Date: Tue, 10 Sep 1996 21:46:45 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
>
> The basic authentication mechanism of HTTP protocol is fine except that
>it sends the password over the wire in the clear and would make it
>vulnerable for sniffers. Hence I was just wondering if you know of any
>initiatives/product that allows s/key authentication access for web
>pages.. I've seen implementations of JAVA S/key calculators around the
>web and was just curious to find out if anyone has integrated it into a
>S/KEY authentication mechanism for web pages?
>
>Charles Lai
>
sounds intrested but there are some implention details that have to
be worked out such as since the WWW client sends the password over the wire
for each page (because this is a stateless system) you can burn through
your list of 100 skeys in a day easy...
