On Fri, 2003-07-11 at 13:18, Adam Aube wrote:
> >Digest, per se, doesn't require clear text password storage.
> >Squids supplied helper uses cleartext, but that is simply -a-
> >implementation. Squid itself never needs the cleartext password.
>
> Technically, yes - digest auth does not require the password to be
> stored in cleartext. However, as you pointed out, the Squid-supplied
> helper does, and I know of no other digest helper for Squid.
Well, there's a little project then :}. In point of fact, in 3.0 squid
can read pre-digested passwords in the supplied helper.
> Furthermore, since knowledge of the clear text password is needed
> to verify the digest sent, the password would need to be stored either
> in clear text or reversible encryption - unless I completely misunderstand
> how digest auth works (which is also quite possible).
You completely misunderstand how digest auth works. See RFC 2617 for the
spec..
> Digest could be improved upon by using a hash of the password instead
> of the password itself.
Digest -does- use a hash of the password. It' uses the MD5 of the
password, to be precise. (Thats Message Digest - thus the name)
Mozilla, IE, squid, apache, all use the MD5 - no cleartext passwords are
used for either verification or over the wire.
What is needed to verify the password is the HHA1 (see the spec), which
is MD5(user:realm:password) - possibly combined with one time nonces
from the client and the server (thats md5-sess, which we don't support
(yet)).
Once you have HHA1, then you can issue challenges and verify responses,
without knowledge of the password.
Rob
-- GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST