ibnesayeed
commented
4 years ago Were you able to resolve your issue after our discussion in the last lecture?
Open Neyo-odu opened 4 years ago
ibnesayeed
commented
4 years ago Were you able to resolve your issue after our discussion in the last lecture?
felixvelariusbos
commented
4 years ago Hey, I'm still having trouble with this one. I am currently returning something like this for Authentication-Info:
Authentication-Info: cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc="00000001", qop=authFrom that I get a "ASSERTION: Authentication-Info header should contain bd71b2ef47de1e9c3d1e4a0382f41982, returned cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc="00000001", qop=auth". Not sure what I'm doing wrong here. The only Idea I have is i'm supposed to include something based on my generated nonce...?
My implementation was based on this spec + example for Authentication-Info from lecture 8 slides. I chose to only return the required (not optional), mostly since i wasn't sure what to do with the others.
Authentication-Info:
(1) nextnonce="1a28b7102dd2f0e8b11d0f600bfbdd441",
(2) qop=auth,
(3) rspauth="d3b07384d113edec49eaa6238ad5ff00",
(4) nc=00000001,
(5) cnonce="dcd98b7102dd2f0e8b11d0f600bfb0c093"
(1) Optional, allows 1 time nonce values (at expense of efficiency; consider nonce count instead)
(2) Quality of protection: authentication, authentication with integrity
(3) Optional, supports mutual authentication (server knows client’s password)
(4) Nonce count -- how many times this nonce has been used
(5) Client-generated nonceGET http://www.cs.odu.edu:80/~mln/teaching/cs595-s09/a4-test/limited2/foo/bar.txt HTTP/1.1
Authorization: Digest username="mln", realm="Colonial Place",
uri="http://www.cs.odu.edu:80/~mln/teaching/cs595-s09/a4-test/limited2/foo/bar.txt",
qop=auth, nonce="AARmQ3eCGoo=642d940339fe011ff1eb3d026d9ed55266b61183",
nc=00000001, cnonce="014a54548c61ba03827ef6a4dc2f7b4c", response="099f6f84cd7d2ff4e92d01adea40b2a9"
Host: www.cs.odu.edu
Connection: close
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2009 15:17:40 GMT
Server: Apache/2.2.0
Authentication-Info: rspauth="e3cd2569795632cca41d52a4610ed4c3",
cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc=00000001, qop=auth
Last-Modified: Fri, 09 Jan 2009 16:53:23 GMT
ETag: "13267f-12-985006c0"
Accept-Ranges: bytes
Content-Length: 18
Connection: close
Content-Type: text/plain
My implementation was based on this spec + example for Authentication-Info from lecture 8 slides. I chose to only return the required (not optional), mostly since i wasn't sure what to do with the others.
If you read the RFC 2617 you will know what each field is doing, how are they generated, and in what circumstances they might be optional. In this case, we do not expect nextnonce field because that is only needed when nonce is generated each time. By including nonce count (i.e., nc) an incrementing it in subsequent responses we are supporting the feature of reusing nonce a few times. We discussed these things in the main lecture and again a couple weeks ago we revisited these points in the lecture. Here, your tests are failing because the tester expects `rspauth attribute with appropriate value because server does know user passwords in this case (in fact the hash of username, realm, and password combined).
felixvelariusbos
commented
4 years ago Apologies, hadn't seen we were putting in rspauth. It is in there now and working, thanks!
Hello,
I'm having some trouble with generating the response and Authentication-info hash in my assignment. According to the slides (assuming we're using md5) response = md5(md5(A1):nonce:ncount:cnonce:qop:md5(A2)) and Authentication-info = md5(:URI) unless I'm misunderstanding this is not producing the expected results in my code. Any help is appreciated, thank you.