|
Home > Archive > IIS Server Security > January 2007 > How secure is Digest Mode compared to Integrated Authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How secure is Digest Mode compared to Integrated Authentication
|
|
| K12-Jammer 2007-01-25, 7:24 pm |
| While researching authentication on IIS I saw there were 3 options for
authenication: Basic, Digest and Integrated Authentication.
My requirements are that this works both on the Intranet and Internet. I
would also prefer that the user enter only his short username and password
(eg bsmith) rather than the long username and password (eg.
bsmith@mydomane.com). So, I am limited to use of Basic and Digest.
From a security perspective I know that Basic is not acceptable because it
passes passwords in clear text. I will give it a security rating of 1 and
wont use it.
Integrated Authentication I will give a security rating of 9 but can't use it.
What relative rating would you say that Digest is? What are the dangers of
digest from a security perspective.
Thanks for your opinions and/or knowledge.
Jim
1. Basic
--
Jim R
| |
| David Wang 2007-01-26, 7:23 pm |
| Why don't you have two websites pointing to the same content on the
webserver. Both websites are identical in behavior except one is facing
Internet and other is Intranet. Configure Integrated authentication on
the Intranet facing website, and debate over the properly setting of
the Internet-facing website.
In other words, is your requirement that:
a. users must authenticate with the same protocol over Intranet and
Internet OR
b users must authenticate with *some* protocol from the Intranet and
Internet.
These are two different types of requirements. One is a requirement for
authenticated users. The other is a requirement for a certain
authentication protocol.
FYI: All authentication protocols have their advantages and
disadvantages, and "one size fits all" approach rarely fits for any
given protocol. If there was a protocol that works in all cases, why
would multiple protocols remain???
For example, the spec for Digest Authentication makes clear its
plus/minus in relation to Basic authentication -- in particular, read
section 3 on bottom of page 12 through 15 for weakness in Digest.
http://www.w3.org/Protocols/rfc2069/rfc2069
Short summary:
- Digest is barely better than Basic in that it doesn't pass the
username:password in cleartext but rather a hash of the
username:password in cleartext. It still suffers all other security
flaws of Basic (man-in-the-middle, replay, snooping, delegation,
spoofing).
- Integrated authentication auto-negotiates between two protocols, NTLM
and Kerberos. Both protocols have strong defense against
man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos
can support delegation properly while NTLM cannot (hence NTLM has the
well-known double-hop failure).
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com>
wrote:
> While researching authentication on IIS I saw there were 3 options for
> authenication: Basic, Digest and Integrated Authentication.
>
> My requirements are that this works both on the Intranet and Internet. I
> would also prefer that the user enter only his short username and password
> (eg bsmith) rather than the long username and password (eg.
> bsm...@mydomane.com). So, I am limited to use of Basic and Digest.
>
> From a security perspective I know that Basic is not acceptable because it
> passes passwords in clear text. I will give it a security rating of 1 and
> wont use it.
>
> Integrated Authentication I will give a security rating of 9 but can't use it.
>
> What relative rating would you say that Digest is? What are the dangers of
> digest from a security perspective.
>
> Thanks for your opinions and/or knowledge.
>
> Jim
>
> 1. Basic
>
> --
> Jim R
|
|
|
|
|