Browse Prior Art Database

Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2 (RFC4169)

IP.com Disclosure Number: IPCOM000130984D
Original Publication Date: 2005-Nov-01
Included in the Prior Art Database: 2005-Nov-04
Document File: 14 page(s) / 27K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

V. Torvinen: AUTHOR [+3]

Abstract

HTTP Digest, as specified in RFC 2617, is known to be vulnerable to man-in-the-middle attacks if the client fails to authenticate the server in TLS, or if the same passwords are used for authentication in some other context without TLS. This is a general problem that exists not just with HTTP Digest, but also with other IETF protocols that use tunneled authentication. This document specifies version 2 of the HTTP Digest AKA algorithm (RFC 3310). This algorithm can be implemented in a way that it is resistant to the man-in-the-middle attack.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 11% of the total text.

Network Working Group                                        V. Torvinen
Request for Comments: 4169                             Turku Polytechnic
Category: Informational                                         J. Arkko
                                                              M. Naslund
                                                                Ericsson
                                                           November 2005


     Hypertext Transfer Protocol (HTTP) Digest Authentication Using
            Authentication and Key Agreement (AKA) Version-2

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   HTTP Digest, as specified in RFC 2617, is known to be vulnerable to
   man-in-the-middle attacks if the client fails to authenticate the
   server in TLS, or if the same passwords are used for authentication
   in some other context without TLS.  This is a general problem that
   exists not just with HTTP Digest, but also with other IETF protocols
   that use tunneled authentication.  This document specifies version 2
   of the HTTP Digest AKA algorithm (RFC 3310).  This algorithm can be
   implemented in a way that it is resistant to the man-in-the-middle
   attack.

Torvinen                     Informational                      [Page 1]
RFC 4169                   HTTP Digest AKAv2               November 2005


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . .  4
   2.  HTTP Digest AKAv2  . . . . . . . . . . . . . . . . . . . . . .  5
       2.1.  Password generation  . . . . . . . . . . . . . . . . . .  6
       2.2.  Session keys . . . . . . . . . . . . . . . . . . . . . .  6
   3.  Example Digest AKAv2 Operation . . . . . . . . . . . . . . . .  7
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
       4.1.  Multiple Authentication Schemes and Algorithms . . . . .  7
       4.2.  Session Protection . . . . . . . . . . . . . . . . . . .  7
       4.3.  Man-in-the-middle attacks  . . . . . . . . . . . . . . .  8
       4.4.  Entropy  . . . . . . . . . . . . . . . . . . . . . . . .  9
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
       5.1.  Registration Information . . . . . . . . . . ....