IIS – Advanced Digest Authentication is MD5-SESS – Tales from the Crypto

IIS – Advanced Digest Authentication is MD5-SESS

Reviewing the security for another application today, I find that it relies on Digest Authentication, which is a horrible thing to do to a secure system.

Why is that? Because it requires that you enable the check-box labeled “Store Passwords Using Reversible Encryption” (and once you’ve done so, any users who want to use Digest Authentication have to change their password, so that their password can be stored decryptably).

This is such a horrible thing to do that Microsoft frequently refers to this as storing passwords “in plaintext”. There’s really not much difference – anyone who can get access to the encrypted store will be able to decrypt the passwords.

Fortunately in IIS 6, along comes Advanced Digest Authentication. Now, this is not exactly described very clearly, and in some cases, the description says some really bad things – one description I found implies that this method hashes the user name, domain, and password, and then waits for the browser to send exactly that same hash in order to identify itself.

Fortunately, that’s not the case – the people in IIS are not idiots. What appears to be the case, and it’s almost impossible to find documentation backing this up (probably because of the “Not Invented Here” syndrome), is that what Microsoft terms “Advanced Digest Authentication” is nothing more complicated than the MD5-SESS Digest Authentication described in RFC 2617.

That does hash the username, password and domain name (or realm, if you want the proper term), and stores that at the server. But it’s not what it looks for from the client. The client takes that hash, appends a nonce provided by the server, and one provided by the client, and hashes that string.

This process of “take a hash, add something random to it, and hash it again” is a fairly common procedure in security protocols, and is designed to avoid replay attacks while simultaneously avoiding the use of stored passwords.

This is great… with one caveat. Now, the hash of the username, password and realm are essentially the password to that realm. If you were the sort of nasty person that could get a hold of the reversibly encrypted password, and decrypt it, you could just as easily get a hold of the hash – and that’s all you need to generate the Advanced Digest Authentication message.

All is not lost, though – this only allows an administrator of the realm to get access to his own realm as if he were one of his own users. The “rogue administrator” problem is one that doesn’t have a good solution (except for “trust your administrators not to go rogue”), and is rightly treated as a problem not worth investigating for most systems.

What was allowed under the old Digest Authentication is that the administrator could fetch the clear-text version of the user’s password, which is almost certainly the same as that user’s password on another system. Now this is a problem worth tackling, and the Advanced Digest Authentication method adequately prevents this from occurring. The administrator can only fetch a hash, and that hash is no use outside of his domain.

Oh, and those hashes are still only generated when the password is created, set, or changed, so as a result, if you change the realm, all users have to change their password again. I’m not quite sure if you have to do this when enabling the Advanced Digest Authentication feature.

Leave a Reply

Your email address will not be published. Required fields are marked *