Re: Where do the random numbers come from?
From: Simon Tatham (anakin_at_pobox.com)
Date: 02/10/05
- Next message: Jose R. Valverde: "Scripts using SSH and SSH_ASKPASS"
- Previous message: Bjoern: "Re: Where do the random numbers come from?"
- In reply to: Bjoern: "Re: Where do the random numbers come from?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 10 Feb 2005 11:31:06 +0000 (GMT)
Bjoern <bjoern_p1@gmx.net> wrote:
[session hijacking in HTTP Digest]
> Wouldn't it be possible to create a hash over all the commands, not just
> the password, though?
Yes, that would certainly be a better idea. I had assumed from the
phrase `HTTP Digest' that that wasn't what you meant.
(Although I haven't thought this out in detail, so I can't be sure
it's entirely secure. One possible attack that springs to mind is a
hash extension attack - most commonly used hash functions such as
MD5 and SHA-1 permit you, given the hash of an unknown plaintext, to
construct the hash of a different plaintext beginning with the
original plaintext. This is why message authenticators such as HMAC
hash things _twice_, so that the outer hash is a hash of a piece of
data of known _length_; so no hash of a longer message constructed
by an attacker can possibly make a plausible substitute.)
-- Simon Tatham "The difference between theory and practice is <anakin@pobox.com> that, in theory, there is no difference."
- Next message: Jose R. Valverde: "Scripts using SSH and SSH_ASKPASS"
- Previous message: Bjoern: "Re: Where do the random numbers come from?"
- In reply to: Bjoern: "Re: Where do the random numbers come from?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
