[2929] in WWW Security List Archive
Re: Passwords encrypted with SSL??
daemon@ATHENA.MIT.EDU (Adam Shostack)
Wed Sep 11 22:48:29 1996
From: Adam Shostack <adam@homeport.org>
To: rschuld@uhc.com (rob schuldt)
Date: Wed, 11 Sep 1996 21:22:36 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9609111536.AA71356@lochness.uhc.com> from "rob schuldt" at Sep 11, 96 10:36:58 am
Errors-To: owner-www-security@ns2.rutgers.edu
You're correct, Rob, but that doesn't make you right. S/key has a
number of useful features in an encrypted link, including the
possibility of *strong* passwords (getting a strong pseudo random with
something like ps axu | sha, and feeding that to keyinit & keyprint.),
and a defined limitation on number of logins.
Adam
rob schuldt wrote:
| The basic authentication mechanism of HTTP protocol is fine except that it sends the password over the wire in the clear and would make it
| vulnerable for sniffers. Hence I was just wondering if you know of any
| initiatives/product that allows s/key authentication access for web
| pages.. I've seen implementations of JAVA S/key calculators around the
| web and was just curious to find out if anyone has integrated it into
| a S/KEY authentication mechanism for web pages?
|
| Charles Lai
| ------------------------------
|
| Someone correct me if I'm wrong here, If you have an SSL connection between
| the server and the client browser. When the client attempts to access protected
| documents on your site, the server will prompt for the username and password
| to authenticate the user, the user then fills in this info and sends it across
| the wire encrypted by SSL. So the password is (relatively) safe going across
| the wire. Someone Please tell me if I'm wrong on this one.
| Rob Schuldt humble intern
|
|
|
|
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
