On Sat, 2003-09-13 at 18:20, Mukund wrote:
> On Sat, Sep 13, 2003 at 05:49:00PM -0400, Garrett Rooney wrote:
> > Well, I was playing around this weekend, and I hacked something together
> > to do just that. It implements a new SASL mechanism, 'NAIVE', which has
> > the user send a username and an md5 encoded password over the wire to
> > the server, which authenticates them against a simple tab delimited file.
>
> In the same sense, HTTP's digest authentication is severely flawed, as
> the password each time computes to the same digest. The real password is
> safe, but this still does not provide real security.
>
> Have you looked at APOP authentication? It uses MD5 and passwords in a
> more nicer way. Authentication is 2-step. Upon connection, the server
> first responds with a random text string. Then the client is supposed to
> append the password to the text string, compute its MD5 and send it back
> to the server. At no two times are the computed hash the same, as the
> string returned by the server is random. The drawback of this method is
> that it requires the password to be stored in cleartext on the server
> side.
>
> CRAM-MD5 is also worth looking at.
I believe you're a little confused.
HTTP digest auth is not flawed in this manner; it has similar security
properties to APOP authentication. Check out RFC 2617 if you have to.
CRAM-MD5 is considered inferior to DIGEST-MD5 in the SASL world, mostly
because DIGEST-MD5 can provide a security layer instead of just
authentication at the beginning of the connection.
A full-blown DIGEST-MD5 implementation would be a significant amount of
code; it would probably be better to use a SASL library at that point.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Sep 14 00:40:52 2003