Insecure WWW Access Authorization Protocol?

michael shiplett (
Sun, 6 Mar 1994 17:16:30 --100

I had a colleague look over a proposed Kerberos-based HTTP
authentication protocol I had closely based on the PEM/PGP & RIPEM
exchanges. He pointed out that a man-in-the-middle attack could allow
an evil entity to masquerade as the server since the exchange goes
from cleartext to encrypted.

Alice wishes to access Bob's server.
Mallot is in position to intercept all of Alice's requests.
Alice sends a cleartext request for a restricted file from Bob.
Mallot intercepts the request.
Mallot sends Alice a response containing information for
authenticating to Mallot's server.
Alice sends a request encrypted for Mallot's server.
Mallot decrypts the request..
Mallot sends valid mutual authenticator to Alice.
Mallot has successfully spoofed Bob's server.

Unless Alice knows how to authenticate to Bob prior to initiating
the transaction, Mallot will be able to subvert Alice's request. The
basic flaw is Alice relies on the "401 Unauthorized" response for
authentication information, e.g., public key, Kerberos principal, etc.

I think this attack would work against any authentication
protocol following the WWW Access Authorization protocol examples.