[2920] in WWW Security List Archive
Re: S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (Mike E. Straw)
Wed Sep 11 11:12:50 1996
To: LAI CHACK AN ITSC NCS <calai@ncspo3.ncs.com.sg>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: Your message of "Wed, 11 Sep 96 09:22:00 PDT."
<3236EE58@ncsgw.ncs.com.sg>
Date: Wed, 11 Sep 96 09:28:17 -0400
From: "Mike E. Straw" <mess@bae.bellcore.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Charles:
I'm an S/key enthusiast and have though of using S/key in a web environment.
However the biggest stumbling blocks I see with using S/key are:
1. S/key is "session oriented" (authenticate once and you have access
to the protected resources), while web access is stateless,
every page is a new session oriented.
2 Current browsers understand how to respond to "identify yourself"
responses coming from HTTP servers when a user click on a protected
URL. The browser pops up the familiar name/password dialog.
The browser caches the name/password and for every page accessed
in the same domain of that original protected page, the browsers
just "tacks on" the name/password pair with the request for the
URL. Unfortunately, browers do not understand how to react to
the challenge/response authentication mechanism of S/key.
Obviously there are things you can do to overcome the above problems.
+ alter the server to keep "state" information so that it does
not require authentication with subsequent page requests in the
same domain.
+ create a helper app/java applet to allow the browser to work
in "challenge/response" mode.
However, if you are really concerned about passwords being sniffed, you
could use name/password protected pages in combination with SSL. This
way the browsers and servers do not need to be modified and passwords
are not vulnerable to being sniffed.
Of course if you or someone out there does concoct a web solution with
S/key I'd love to here about it.
Mike Straw
> The basic authentication mechanism of HTTP protocol is fine except that
> it sends the password over the wire in the clear and would make it
> vulnerable for sniffers. Hence I was just wondering if you know of any
> initiatives/product that allows s/key authentication access for web
> pages.. I've seen implementations of JAVA S/key calculators around the
> web and was just curious to find out if anyone has integrated it into a
> S/KEY authentication mechanism for web pages?
>
> Charles Lai
>
