[352] in WWW Security List Archive
Re: Experimental implementation of SimpleMD5
daemon@ATHENA.MIT.EDU (Dave Kristol)
Thu Jan 26 15:14:37 1995
Date: Thu, 26 Jan 95 09:36:59 EST
From: dmk@allegra.att.com (Dave Kristol)
To: www-security@ns2.rutgers.edu
Cc: www-security@ns2.rutgers.edu
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I, too, have concerns about the added complexity of Phillip's proposal,
but this message concerns a much more mundate nit. Phillip describes
taking this function:
> MD5(username '@' domain ':' password)
(I assume "domain" is the fully-qualified domain name of the client,
as calculated by the server.)
Perhaps everyone else things of "username" as merely a sequence of
alphanumeric characters. However, it isn't so-restricted, and for
an application of ours, we actually use something like
username@domain
where Phillip uses "username" above. A parsing ambiguity therefore
arises for something like
username=dmk@foobar
domain= research.att.com
password=nevermind
giving
dmk@foobar@research.att.com:nevermind
Although it's less esthetic, let me propose the function be rendered
MD5(username:domain:password)
since ':' already had to be special.
Dave Kristol
