IIS Server Security - Re: How secure is Digest Mode compared to Integrated Authenticatio

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2007 > Re: How secure is Digest Mode compared to Integrated Authenticatio





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: How secure is Digest Mode compared to Integrated Authenticatio
K12-Jammer

2007-01-29, 1:17 pm

David,

Thank you for your summary statement and for your reference to the w3.org
document which delineates the weaknesses of Digest mode. I will surely read
that document.

I think that your summary statement, however, will dictate that I not use
Digest mode.

In my situation, the actual secure documents are much less valuable than
password integrity is. It won't ruin my organization if an outsider sees one
of these "secure" documents but I don't want them to be able to get my users
passwords.

Thanks for being so knowledgeable on this stuff.
--
Jim R


"David Wang" wrote:

> Why don't you have two websites pointing to the same content on the
> webserver. Both websites are identical in behavior except one is facing
> Internet and other is Intranet. Configure Integrated authentication on
> the Intranet facing website, and debate over the properly setting of
> the Internet-facing website.
>
> In other words, is your requirement that:
> a. users must authenticate with the same protocol over Intranet and
> Internet OR
> b users must authenticate with *some* protocol from the Intranet and
> Internet.
>
> These are two different types of requirements. One is a requirement for
> authenticated users. The other is a requirement for a certain
> authentication protocol.
>
> FYI: All authentication protocols have their advantages and
> disadvantages, and "one size fits all" approach rarely fits for any
> given protocol. If there was a protocol that works in all cases, why
> would multiple protocols remain???
>
> For example, the spec for Digest Authentication makes clear its
> plus/minus in relation to Basic authentication -- in particular, read
> section 3 on bottom of page 12 through 15 for weakness in Digest.
> http://www.w3.org/Protocols/rfc2069/rfc2069
>
> Short summary:
> - Digest is barely better than Basic in that it doesn't pass the
> username:password in cleartext but rather a hash of the
> username:password in cleartext. It still suffers all other security
> flaws of Basic (man-in-the-middle, replay, snooping, delegation,
> spoofing).
> - Integrated authentication auto-negotiates between two protocols, NTLM
> and Kerberos. Both protocols have strong defense against
> man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos
> can support delegation properly while NTLM cannot (hence NTLM has the
> well-known double-hop failure).
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com>
> wrote:
>
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com