qop=auth in Digest access authentication
yawnmoth
" cnonce
This MUST be specified if a qop directive is sent (see above),
and
MUST NOT be specified if the server did not send a qop directive
in
the WWW-Authenticate header field. The cnonce-value is an opaque
quoted string value provided by the client and used by both
client
and server to avoid chosen plaintext attacks, to provide mutual
authentication, and to provide some message integrity protection.
See the descriptions below of the calculation of the response-
digest and request-digest values."
How does one conduct the types of attacks cnonce is supposed to
protect against?
A chosen plaintext attack against an RSA implementation that doesn't
use randomized padding involves you guessing what the victim might
chose as their plaintext. If the resultant ciphertext matches the
targets ciphertext then you know what their plaintext was.
A chosen plaintext attack against an XOR based encryption system
involves you XOR'ing the ciphertext against the plaintext you chose to
get the key.
But what does a chosen plaintext attack against digest access
authentication look like? You can still generate the same hash as
your target by guessing their password and by using their cnonce and
the servers nonce. The only thing I can figure is that one nonce
might be more difficult to predict than the other, but I'm not sure
what value there is to predicting nonces given that they're
transmitted in the clear, anyway.
I'm also not sure how the cnonce would provide mutual authentication
as RFC2617 claims. SSL and SSH servers authenticate themselves to the
client by providing a message signed with their private key but I
don't see how this cnonce parameter can provide it.