[Cryptography] Basic auth a bit too basic
Phillip Hallam-Baker
phill at hallambaker.com
Wed Feb 10 19:58:47 EST 2016
On Wed, Feb 10, 2016 at 4:48 AM, William Allen Simpson
<william.allen.simpson at gmail.com> wrote:
> On 2/6/16 2:50 AM, Peter Gutmann wrote:
> # Someone just pointed out an interesting problem with HTTP basic auth,
> # published in 1999 as RFC 2617 and updated 15 years later as RFC 7617:
>
> On 2/8/16 11:54 AM, Phillip Hallam-Baker wrote:
>>
>> At the time, all IETF specs used password in the clear for
>> authentication except for Kerberos.
>>
> Or PPP CHAP (circa 1991). Or swIPe cum IPsec (circa 1992-1993).
> Or Photuris (circa 1994-1995).
>
> Sadly, the HTTP folks refused to learn from earlier efforts. I've
> always ascribed it to self-censorship in fear of large government
> agencies. Or actual pressure. And as we now know, payoffs.
Actually, I proposed what became DIGEST in 1993.
I reviewed the CHAP design and rejected it as unsuited. Photuris
didn't meet the requirement for being unencumbered because Diffie
Hellman was still encumbered.
By the time people decided they wanted to do DIGEST as an RFC, I was
telling them to do a DH based scheme instead. But by that time all the
EKE variants were encumbered.
More information about the cryptography
mailing list