{"id":3826,"date":"2010-08-12T08:28:31","date_gmt":"2010-08-12T12:28:31","guid":{"rendered":"http:\/\/www.schollnick.net\/wordpress\/?p=3826"},"modified":"2010-08-12T08:28:31","modified_gmt":"2010-08-12T12:28:31","slug":"indigo-server-authentication","status":"publish","type":"post","link":"http:\/\/www.schollnick.net\/wordpress\/2010\/08\/indigo-server-authentication\/","title":{"rendered":"Indigo Server authentication"},"content":{"rendered":"

I am working on an python wrapper around the Indigo Restful interface, and discovered that the Indigo Server requires remote logins to be with a Digest based password. \u00c2\u00a0Is this good? \u00c2\u00a0Yes, indeed it is. \u00c2\u00a0Digest authentication is designed to be the significantly more secure and when your talking about the security of your home authomation you would prefer it to be secure.<\/p>\n

But what is Digest Access Authentication? \u00c2\u00a0The digest access authentication was originally speced in RFC 2069. \u00c2\u00a0In this, the password is encrypted by a nonce (Number used once), and is used to calculate a MD5 digest of the password. \u00c2\u00a0So no plain text passwords, and due to the nonce (among other things) your password is not a simple reversible hash.<\/p>\n

What does the Nonce do to help? \u00c2\u00a0Why a Nonce? \u00c2\u00a0This makes the encryption key change each time there is a authentication challenge, and thus making replay attacks, and dictionary attacks, virtually impossible to break the encryption.<\/p>\n

But this security is not impossible to defeat. \u00c2\u00a0If your password is too simple, for example, 12345. \u00c2\u00a0In theory, an attacker could attempt an brute force attack, and see if they could match an valid password digest.<\/p>\n

Advantages<\/h3>\n
HTTP digest authentication is designed to be more secure than traditional digest authentication schemes; e.g., “significantly stronger than (e.g.)CRAM-MD-5.<\/p>\n
Some of the security strengths of HTTP digest authentication are:<\/p>\n
\n
The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementations\u00c2\u00a0to store HA1 rather than the cleartext\u00c2\u00a0password.<\/li>\n
Client nonce\u00c2\u00a0was introduced in RFC2617, which allows the client to prevent chosen plaintext\u00c2\u00a0attacks (which otherwise makes e.g. rainbow tables\u00c2\u00a0a threat to digest authentication schemes).<\/li>\n
Server nonce is allowed to contain timestamps. Therefore the server may inspect nonce attributes submitted by clients, to prevent replay attacks.<\/li>\n
Server is also allowed to maintain a list of recently issued or used server nonce values to prevent reuse.<\/li>\n<\/ul>\n
Disadvantages<\/h3>\n
Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP basic access authentication, which is extremely weak. It is not, however, intended to replace strong authentication protocols, such as public-key\u00c2\u00a0or Kerberos\u00c2\u00a0authentication.<\/p>\n
In terms of security, there are several drawbacks with digest access authentication:<\/p>\n
\n
Many of the security options in RFC 2617\u00c2\u00a0are optional. If quality-of-protection (qop) is not specified by the server, the client will operate in a security-reduced legacy RFC 2069\u00c2\u00a0mode.<\/li>\n
Digest access authentication is vulnerable to a man-in-the-middle (MitM) attack. For example, a MitM attacker could tell clients to use basic access authentication or legacy RFC2069 digest access authentication mode. To extend this further, digest access authentication provides no mechanism for clients to verify the server’s identity.<\/li>\n
Some servers require passwords to be stored using reversible encryption. However, it is possible to instead store the digested value of the username, realm, and password.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
I am working on an python wrapper around the Indigo Restful interface, and discovered that the Indigo Server requires remote logins to be with a Digest based password. \u00c2\u00a0Is this good? \u00c2\u00a0Yes, indeed it is. \u00c2\u00a0Digest authentication is designed to be the significantly more secure and when your talking about the security of your home […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[12,68,4,129],"tags":[111,71,1838],"_links":{"self":[{"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/posts\/3826"}],"collection":[{"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/comments?post=3826"}],"version-history":[{"count":0,"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/posts\/3826\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/media?parent=3826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/categories?post=3826"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.schollnick.net\/wordpress\/wp-json\/wp\/v2\/tags?post=3826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}