On Tue, 2005-07-12 at 14:26 +0800, Asif Saleem wrote: > Does anyone know what is the use of opaque string which is returned by > the server in HTTP authentication? The RFC for HTTP authentication > says it must be returned without change back to the server. > > Than what is the use of this string?
It was included as a convenience for the server; the idea was that the server could use it as a lookup hint when locating the authentication context. Using it is a Bad Idea (for the server - the client should just copy it and send it back as the spec says) because it is not included in the digested material, so it could be modified by a man-in-the-middle. A better way to provide context is to incorporate it into the nonce itself, because the nonce cannot be modified by the client. This has to be done carefully; to be secure, a nonce value must: - have enough randomness in it that it cannot be predicted in advance - no one but the server can construct a value that the server will accept as a nonce. -- Scott Lawrence, Consulting Engineer Pingtel Corp. http://www.pingtel.com/ +1.781.938.5306 x162 or sip:[EMAIL PROTECTED] _______________________________________________ Sip-implementors mailing list [email protected] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
