That’s an attack against a signature where you know the content and the length of the
secret. In a challenge response protocol this information is not known.
On Jan 8, 2014, at 3:24 PM, Radoslaw Rodak <rodakr(a)gmx.ch> wrote:
It starts to be interesting :-)
Whats about hash length extension attack...
Am 08.01.2014 um 21:54 schrieb Jason Greene <jason.greene(a)redhat.com>:
> On Jan 8, 2014, at 2:00 PM, Aleksandar Kostadinov <akostadi(a)redhat.com> wrote:
>> I'm not sure what other auth mechanism you are talking about. There
>> might be something new and very elaborated.
> Just a SHA based digest vs an MD5 one
>> But the problem with non-encrypted connections is that any hash could be
>> used without the need to recover the plain text password. With cookies,
>> one can sniff and use them.
> That’s not true. Digest is a challenge response protocol that uses a nonce as part of
the sent hash. A packet sniffed hash can’t be replayed.
> Jason T. Greene
> WildFly Lead / JBoss EAP Platform Architect
> JBoss, a division of Red Hat
> wildfly-dev mailing list
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat