Bug ID: JDK-4823429 Digest authentication misuse of nonce-count field

Type: Bug
Component: core-libs
Sub-Component: java.net
Affected Version: 1.4.1

Priority: P3
Status: Resolved
Resolution: Fixed
OS: generic
CPU: unknown

Submitted: 2003-02-25
Updated: 2024-02-23
Resolved: 2003-09-27

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
5.0 tigerFixed

The digest authentication implementation used in HttpURLConnection
is misusing the nonce-count field in Authorization headers.
It is supposed to represent the number of times the current server nonce
has been used (and reused) by the client. Instead, the implementation
uses it to represent the number of times the client nonce has been reused.

[Note, the nonce-count in the Authentication-Info header generated by the
 server or proxy is supposed to be the number of times the client nonce
 has been used by the server.]

The problem has only been noticed with the Squid cache, which is checking
(as it should) for re-use of nonce-count values (possibly indicating
a replay attack). It seems other servers are not checking for it.

The impact of the bug is that users will be re-prompted for credentials
because they appear to be incorrect. The authentication will normally
succeed the second time.

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: tiger FIXED IN: tiger INTEGRATED IN: tiger tiger-b22

14-06-2004

WORK AROUND Configure both client and server to not reuse nonce values.

11-06-2004

EVALUATION Probably too late for mantis. Will fix in tiger ###@###.### 2003-03-05

05-03-2003