Atom WSSE Profile

It’s been a few years since Mark Pilgrim wrote up the WSSE authentication on XML.com. There has been little exposition of it, bar Ezra from MovableType who explained that the OASIS scheme requires passwords to be stored in clear text on the server. The WSSE scheme doesn’t really define any extensions which specify that a hash password is stored on the server.

Wikipedia entry on HTTP Digest Authentication on the same issue makes a rather weak suggestion that the Realm could hold the salt. This scheme almost requires all passwords to use the same salt. Not the way to go.

Meanwhile, over at MSDN, there’s an article explaining the security risks of the WSSE profile. For instance, the passwordDigest can still be brute forced using offline dictionary attack. Even if crypted passwords are used, an offline attack will obtain a hash that could be used, even if it doesn’t match the original password. The article goes on to advocate a “salted, iteratively hashed account database”. There’s also some discussion of it over at Keith Brown’s Security Briefs blog.

At this point, I’m really tired and haven’t read on further. Got to sleep. (Also a chance to plug my wife’s blog on insomnia)

technorati tags:wsse, atom, authentication, security