Inside/outside users and identification (re Emory)

Albert Lunde Albert-Lunde at nwu.edu
Fri Apr 5 22:21:19 EST 1996


> We've been looking into tapping into the centralized authentication
> of our campus network - kerberos - to authenticate local users
> in a web context.  So far I have found out that it can be done,
> and that the further issue of passing the login/password in cleartext
> between the user's browser and the web server will cause a stir
> with the more security-minded folks in charge of the campus network.
>
> It is possible to use the security features of Netscape Commerce
> server or Apache with SSL (secure socket layer) to get the user's
> login/password in a secure manner.

Something to keep an eye on in this connection, is the "Digest Authetication"
scheme whose spec is still in Internet Draft form. It uses a challange/
response scheme based on MD5 hashes to avoid sending passwords in
the clear, but does not encrypt the rest of the transaction.

There are a couple of implementations, based on earlier drafts of the spec,
but it's not widely available yet.

However, the HTTP working group wants to position it as a "light-weight"
authentication schemeto replace the clear-text passwords of "Basic
Authentication", fora pplications that don't need full encrypytion, just a
more secure authetication.

You can find a prototype server implementation and a pointer to the draft at:

http://hopf.math.nwu.edu/digestauth/

(These pages are maintained by John Franks, one of the authors of the spec.)

A down side of hash-based schemes is that they require storing passwords
in a different form than, say, Unix password files (sometimes clear text,
or I think in this case as a different hash).

---
    Albert Lunde                      Albert-Lunde at nwu.edu




More information about the Web4lib mailing list