[2921] in WWW Security List Archive
Re: S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Wed Sep 11 11:13:15 1996
Date: Wed, 11 Sep 1996 09:03:59 -0400 (EDT)
From: "Brian W. Spolarich" <briansp@ans.net>
To: LAI CHACK AN ITSC NCS <calai@ncspo3.ncs.com.sg>
cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
In-Reply-To: <3236EE58@ncsgw.ncs.com.sg>
Errors-To: owner-www-security@ns2.rutgers.edu
I have not seen S/KEY over HTTP, although Java or CGI/Cookie
implementations wouldn't be that difficult to cook up.
The common approach to this that I have seen is HTTP Basic over SSL,
which provides encryption (weak or strong) of the entire session. I'd
also like to see Kerberos support in HTTP. I believe I saw K4 and K5
hooks in S-HTTP, but I haven't looked at the spec in a while.
-b.
On Wed, 11 Sep 1996, LAI CHACK AN ITSC NCS wrote:
>
> The basic authentication mechanism of HTTP protocol is fine except that
> it sends the password over the wire in the clear and would make it
> vulnerable for sniffers. Hence I was just wondering if you know of any
> initiatives/product that allows s/key authentication access for web
> pages.. I've seen implementations of JAVA S/key calculators around the
> web and was just curious to find out if anyone has integrated it into a
> S/KEY authentication mechanism for web pages?
>
> Charles Lai
>
> ----------
> From: Brian W. Spolarich[SMTP:briansp@ans.net]
> Sent: Tuesday, September 10, 1996 2:26 AM
> To: Benjamin Suto
> Cc: 'www-security@ns2.rutgers.edu'
> Subject: Re: your mail
>
>
> Benjamin, this is generally a pretty basic feature of most HTTP
> servers.
>
> The implementation of access controls varies greatly depending on your
> server. Under Apache and other NCSA variants this is accomplished via
> the
> access.conf file. Under the Netscape Enterprise server, this is
> accomplished via the Admin interface (as are most things). WN, on the
> other hand, is a completely different beast altogether. Don't ask me
> about IIS...I don't know. :-]
>
> RTFM on your server to find out how to do this for your particular
> product. You're looking for how to set up "Access Controls" or something
> similar.
>
> The authentication that we're talking about here is accomplished via
> the
> Basic authentication method which is part of the HTTP/1.0 protocol
> specification (sometimes referred to as "HTTP Basic"). This
> authentication method is built in to all current releases of any
> reasonable Web client.
>
> -brian
>
> On Mon, 9 Sep 1996, Benjamin Suto wrote:
>
> > I know this has been asked before, so I'll be quick.
> >
> > Does anyone know any resources for finding information on password
> > protection certain web pages? For example, if a site tries to access a
> > certain web page, or any web pages under it, a prompt would show up
> > asking for a username and/or password.
> >
> > My company wants to restrict certain information from the rest of the
> > Internet, but still allow our clients to access it.
> >
> > If anyone has any information as to how to do this, please send it to
> me.
> >
> > Thanks,
> >
> > Ben
> >
> >
>
> --
> Brian W. Spolarich - ANS - briansp@ans.net - (313)677-7311
> Look both ways before crossing the Net.
>
>
>
>
--
Brian W. Spolarich - ANS - briansp@ans.net - (313)677-7311
Look both ways before crossing the Net.
