Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A4: Generating Authentication-Info and response #66

Open
Neyo-odu opened this issue Nov 7, 2019 · 4 comments
Open

A4: Generating Authentication-Info and response #66

Neyo-odu opened this issue Nov 7, 2019 · 4 comments
Labels
Question Need some information Resolved The issue is resolved or got answered

Comments

@Neyo-odu
Copy link
Contributor

Neyo-odu commented Nov 7, 2019

Hello,

I'm having some trouble with generating the response and Authentication-info hash in my assignment. According to the slides (assuming we're using md5) response = md5(md5(A1):nonce:ncount:cnonce:qop:md5(A2)) and Authentication-info = md5(:URI) unless I'm misunderstanding this is not producing the expected results in my code. Any help is appreciated, thank you.

@ibnesayeed ibnesayeed added the Question Need some information label Nov 7, 2019
@ibnesayeed
Copy link
Collaborator

Were you able to resolve your issue after our discussion in the last lecture?

@felixvelariusbos
Copy link
Contributor

Hey, I'm still having trouble with this one. I am currently returning something like this for Authentication-Info:

Authentication-Info: cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc="00000001", qop=auth

From that I get a "ASSERTION: Authentication-Info header should contain bd71b2ef47de1e9c3d1e4a0382f41982, returned cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc="00000001", qop=auth". Not sure what I'm doing wrong here. The only Idea I have is i'm supposed to include something based on my generated nonce...?

My implementation was based on this spec + example for Authentication-Info from lecture 8 slides. I chose to only return the required (not optional), mostly since i wasn't sure what to do with the others.

Authentication-Info:
(1) nextnonce="1a28b7102dd2f0e8b11d0f600bfbdd441",
(2) qop=auth,
(3) rspauth="d3b07384d113edec49eaa6238ad5ff00",
(4) nc=00000001,
(5) cnonce="dcd98b7102dd2f0e8b11d0f600bfb0c093"
(1) Optional, allows 1 time nonce values (at expense of efficiency; consider nonce count instead)
(2) Quality of protection: authentication, authentication with integrity
(3) Optional, supports mutual authentication (server knows client’s password)
(4) Nonce count -- how many times this nonce has been used
(5) Client-generated nonce
GET http://www.cs.odu.edu:80/~mln/teaching/cs595-s09/a4-test/limited2/foo/bar.txt HTTP/1.1
Authorization: Digest username="mln", realm="Colonial Place",
 uri="http://www.cs.odu.edu:80/~mln/teaching/cs595-s09/a4-test/limited2/foo/bar.txt",
 qop=auth, nonce="AARmQ3eCGoo=642d940339fe011ff1eb3d026d9ed55266b61183",
 nc=00000001, cnonce="014a54548c61ba03827ef6a4dc2f7b4c", response="099f6f84cd7d2ff4e92d01adea40b2a9"
Host: www.cs.odu.edu
Connection: close
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2009 15:17:40 GMT
Server: Apache/2.2.0
Authentication-Info: rspauth="e3cd2569795632cca41d52a4610ed4c3",
 cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc=00000001, qop=auth
Last-Modified: Fri, 09 Jan 2009 16:53:23 GMT
ETag: "13267f-12-985006c0"
Accept-Ranges: bytes
Content-Length: 18
Connection: close
Content-Type: text/plain

@ibnesayeed
Copy link
Collaborator

My implementation was based on this spec + example for Authentication-Info from lecture 8 slides. I chose to only return the required (not optional), mostly since i wasn't sure what to do with the others.

If you read the RFC 2617 you will know what each field is doing, how are they generated, and in what circumstances they might be optional. In this case, we do not expect nextnonce field because that is only needed when nonce is generated each time. By including nonce count (i.e., nc) an incrementing it in subsequent responses we are supporting the feature of reusing nonce a few times. We discussed these things in the main lecture and again a couple weeks ago we revisited these points in the lecture. Here, your tests are failing because the tester expects ``rspauth` attribute with appropriate value because server does know user passwords in this case (in fact the hash of username, realm, and password combined).

@felixvelariusbos
Copy link
Contributor

Apologies, hadn't seen we were putting in rspauth. It is in there now and working, thanks!

@ibnesayeed ibnesayeed added the Resolved The issue is resolved or got answered label Nov 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Question Need some information Resolved The issue is resolved or got answered
Projects
None yet
Development

No branches or pull requests

3 participants