[rfc-i] Errata (2069)

Frank Ellermann nobody at xyzzy.claranet.de
Sat Apr 2 15:42:07 PST 2005


Hi, I've submitted an error for RfC 2069 some weeks ago.

It's of course possible that it's only an error on my side,
but what's the normal procedure for submitted RfC errors ?

                      Bye, Frank

JFTR the original report (one typo "respose" fixed):

Message-ID: <42215577.18A6 at xyzzy.claranet.de>
Date: Sun, 27 Feb 2005 06:07:04 +0100
From: Frank Ellermann <nobody at xyzzy.claranet.de>
To: rfc-editor at rfc-editor.org
Subject: RfC 2069 errata

RfC 2069 (digest access authentication) chapter 2.4 is an example,
the userame is "Mufasa", the password is "CircleOfLife":

| username="Mufasa",
| realm="testrealm at host.com",
| nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
| uri="/dir/index.html",
| response="e966c932a9242554e42c8ee200cec7f6",
| opaque="5ccc069c403ebaf9f0171e9517f40e41"

The "response" is MD5( MD5( A1 ) || ':' || nonce || ':' || MD5( A2 ))

MD5( A1 ) = MD5( username || ':' || realm || ':' || password )
          = MD5( "Mufasa:testrealm at host.com:CircleOfLife" )
          = "4945ecf42b1bb868634058a845bedde8"

MD5( A2 ) = MD5( Method || ':' || digest-uri-value )
          = MD5( "GET:/dir/index.html" )
          = "39aff3a2bab6126f332b942af96d3366"

This results in a response = "1949323746fe6a43ef61f9606e7febea"
instead of the shown value = "e966c932a9242554e42c8ee200cec7f6".

Quick reality check, the RfC 2617 example uses the same values
    username = "Mufasa"
    nonce    = "dcd98b7102dd2f0e8b11d0f600bfb0c093"
    realm    = "testrealm at host.com"
    A2       = "GET:/dir/index.html"
with a slightly different
    password = "Circle Of Life"
resulting in MD5( A1 ) = "939e7578ed9e3c518a452acee763bce9"

The "respose" is MD5( MD5( A1 ) || ':' || X || ':' || MD5( A2 ))
for X = "dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth"
and here the response = "6629fae49393a05397450978507c4ef1" works as
expected.

I've tried to contact two of the RfC 2069 authors about this issue,
but got no reply.
                      Regards, F.Ellermann




More information about the rfc-interest mailing list