All Topics  
Digest access authentication

 

 
   Email Print
   Bookmark   Link
 

 

Digest access authentication
 
 
  Topics Digest access authentication Topic Home

HTTP Digest access authentication is one of the agreed methods a web server can use to negotiate credentials with a web user (using the HTTP protocol). Digest authentication is intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password
Password

A password is a secret word or string of Character that is used for authentication, to prove identity or gain access to a resource . The password must be kept Secrecy from those not allowed access....
 in plaintext
Plaintext

In cryptography, plaintext is the information which the sender wishes to transmit to the receiver. Before the computer era, plaintext simply meant text in the language of the communicating parties....
 over the network. Digest authentication is basically an application of MD5
MD5

In cryptography, MD5 is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard , MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of computer file....
 cryptographic hashing with usage of nonce
Cryptographic nonce

In security engineering, a nonce stands for number used once . It is often a randomness or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks....
 values to prevent cryptanalysis
Cryptanalysis

Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so....
.

st access authentication was originally specified by RFC 2069 (An Extension to HTTP: Digest Access Authentication).






Discussion
Ask a question about 'Digest access authentication'
Start a new discussion about 'Digest access authentication'
Answer questions from other users
Full Discussion Forum



Encyclopedia


HTTP Digest access authentication is one of the agreed methods a web server can use to negotiate credentials with a web user (using the HTTP protocol). Digest authentication is intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password
Password

A password is a secret word or string of Character that is used for authentication, to prove identity or gain access to a resource . The password must be kept Secrecy from those not allowed access....
 in plaintext
Plaintext

In cryptography, plaintext is the information which the sender wishes to transmit to the receiver. Before the computer era, plaintext simply meant text in the language of the communicating parties....
 over the network. Digest authentication is basically an application of MD5
MD5

In cryptography, MD5 is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard , MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of computer file....
 cryptographic hashing with usage of nonce
Cryptographic nonce

In security engineering, a nonce stands for number used once . It is often a randomness or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks....
 values to prevent cryptanalysis
Cryptanalysis

Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so....
.

Overview

Digest access authentication was originally specified by RFC 2069 (An Extension to HTTP: Digest Access Authentication). RFC 2069 specifies roughly a traditional digest authentication scheme with security maintained by a server-generated nonce value.

RFC 2069 was later replaced by RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication). RFC 2617 introduced a number of optional security enhancements to Digest Authentication; "Quality of Protection" (qop), nonce counter incremented by client, and a client generated random nonce. These enhancements are designed to protect against e.g. chosen-plaintext attack
Chosen-plaintext attack

A chosen-plaintext attack is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts....
 cryptanalysis
Cryptanalysis

Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so....
.

If the qop directive's value is "auth" or is unspecified, then HA2 is

If the qop directive's value is "auth-int" , then HA2 is

Impact of MD5 security on Digest authentication


The MD5 calculations used in HTTP Digest Authentication is intended to be "one way", meaning that it should be difficult to determine the original input when only the output is known. If the password itself is too simple, however, then it may be possible to test all possible inputs and find a matching output (a brute force attack
Brute force attack

In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities; for example, a large number of the possible key s in a key space in order to decrypt a message....
) – perhaps aided by a dictionary or suitable look-up list. For the most security, users should use long, non-trivial passwords - however this is not ideal since it is an inconvenience on the user-side.

The HTTP scheme was designed at CERN
CERN

The European Organization for Nuclear Research , known as CERN , , is the world's largest particle physics laboratory, situated in the northwest suburbs of Geneva on the France-Switzerland border, established in 1954 in science....
 in 1993 and does not represent subsequent improvements in authentication systems, such as the development of keyed-hash message authentication code (HMAC
HMAC

In cryptography, a keyed-Hash Message Authentication Code , is a type of message authentication code calculated using a specific algorithm involving a cryptographic hash function in combination with a secret cryptographic key....
). Although the cryptographic
Cryptography

Cryptography is the practice and study of hiding information. In modern times cryptography is considered a branch of both mathematics and computer science and is affiliated closely with information theory, computer security and engineering....
 construction that is used is based on the MD5
MD5

In cryptography, MD5 is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard , MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of computer file....
 hash function, collision attacks were in 2004 generally believed (e.g. ) to not affect applications where the plaintext (i.e. password) is not known. However, claims in 2006 ( On the Security of HMAC and NMAC Based on HAVAL MD4 MD5 SHA-0 and SHA-1) cause some doubt over other MD5 applications as well. However, so far MD5 collision attacks have not been shown to pose a threat to Digest Authentication, and the RFC 2617 allows servers to implement mechanisms to detect some collision and replay attacks.

One consequence of Digest authentication design is that the server must know the password (i.e. store it in plain text) or store the same HA1 (MD5) hash that is used to calculate the client's response (see example , below). This means that if the password database at a site is compromised the attacker will be able to impersonate any user whose access credentials are stolen. Such a compromise should not affect other sites if the MD5 hash is stored rather than the password, because the realm information is used as a salt
Salt (cryptography)

In cryptography, a salt comprises Random Number Generator bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase....
. Unfortunately the scheme prevents use of different salts being used for each individual password held on the server.

HTTP Digest Authentication considerations


Advantages

HTTP Digest authentication is designed to be more secure than traditional digest authentication schemes; "significantly stronger than (e.g.) CRAM-MD5
CRAM-MD5

In cryptography, CRAM-MD5 is achallenge-response authentication mechanism defined in RFC 2195 based on theHMAC-MD5 Message_authentication_code...
 ..." ().

Some of the security strengths of HTTP Digest authentication is:
  • The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementations (e.g. JBoss
    JBoss

    JBoss Application Server is a free software/Open-source software Java EE-based application server. Because it is Java -based, the JBoss application server is cross-platform: usable on any operating system that Java supports....
     ) to store HA1 rather than the clear text password.
  • Client nonce
    Cryptographic nonce

    In security engineering, a nonce stands for number used once . It is often a randomness or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks....
     was introduced in RFC2617, which allows the client to prevent chosen plaintext attacks (which otherwise makes e.g. rainbow tables a threat to digest authentication schemes).
  • Server nonce is allowed to contain timestamps. Therefore the server may inspect nonce attributes submitted by clients, to prevent replay attacks.
  • Server is also allowed to maintain a list of recently issued or used server nonce values to prevent reuse.


Disadvantages

Digest access authentication is intended as a security trade-off; it is intended to replace unencrypted HTTP Basic access authentication which is extremely weak. However it is not intended to replace strong authentication protocols, such as Public key or Kerberos authentication.

Security wise, there are several drawbacks with Digest access authentication:
  • Many of the security options in RFC2617 are optional. If quality-of-protection (qop) is not specified by server, the client will operate in a security reduced legacy mode.
  • Digest access authentication is vulnerable to Man-in-the-middle attack
    Man-in-the-middle attack

    In cryptography, the man-in-the-middle attack or bucket-brigade attack , sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when i...
    ; a MitM attacker could tell clients to use Basic access authentication or legacy Digest access authentication mode.
  • Internet Explorer
    Internet Explorer

    Windows Internet Explorer , commonly abbreviated to IE, is a series of graphical user interface web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995....
     5 may be incompatible with other digest access authentication implementations.


There is an important problem with implementing Digest access authentication. This is the requirement that either cleartext passwords or the HA1 hashes must be known in order to perform client response validation. If the authentication repository used to store passwords does not support looking up cleartext passwords or HA1 hashes, it is not possible to use HTTP Digest access authentication.

Alternative authentication protocols

Some strong authentication protocols for web based applications include:
  • Public key authentication (usually implemented with HTTPS
    Https

    Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol and a secure communication protocol.HTTP operates at the highest layer of the TCP/IP model, the Application layer; but the security protocol operates at lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arriva...
     / SSL Client Certificates)
  • Kerberos or SPNEGO
    SPNEGO

    SPNEGO is a Generic Security Services Application Program Interface "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
     authentication, primarily employed by Microsoft IIS running configured for "Integrated Windows Authentication
    Integrated Windows Authentication

    Integrated Windows Authentication is a term associated with Microsoft products that refers to the SPNEGO, Kerberos protocol, and NTLMSSP authentication protocols with respect to Security Support Provider Interface functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems....
    ".


Weak cleartext protocols are also often in use:
  • Basic access authentication scheme
  • HTTP+HTML Form based authentication
    HTTP+HTML Form based authentication

    HTTP+HTML Form based authentication, typically presently colloquially referred to as simply Form based authentication , is a technique whereby a website uses a web form to collect, and subsequently authenticate, credential information from a user agent, typically a web browser wielded by a user....
These weak cleartext protocols used together with HTTPS
Https

Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol and a secure communication protocol.HTTP operates at the highest layer of the TCP/IP model, the Application layer; but the security protocol operates at lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arriva...
 network encryption resolve many of the threats that Digest access authentication protocol is designed to prevent.

Example with explanation


Warning: Please refer to the original specifications for a more comprehensive discussion of security issues.


The following example was originally given in RFC 2617 and is expanded here to show the full text expected for each request and response. Note that only the "auth" (authentication) quality of protection code is covered – at the time of writing only the Opera
Opera (web browser)

Opera is a web browser and Internet suite developed by the Opera Software company. Opera handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, IRC online chatting, downloading files via BitTorrent , and reading web feeds....
 and Konqueror
Konqueror

Konqueror is a web browser, file manager and file viewer designed as a core part of the KDE. It is developed by volunteers and can run on most Unix-like operating systems....
 web browser
Web browser

A Web browser is a application software which enables a user to display and interact with text, images, videos, music, games and other information typically located on a Web page at a website on the World Wide Web or a local area network....
s are known to support "auth-int" (authentication with integrity protection). Although the specification mentions HTTP version 1.1 the scheme can be successfully added to a version 1.0 server, as shown here.

This typical transaction consists of the following steps.

  • The client asks for a page that requires authentication but does not provide a user name and password. Typically this is because the user simply entered the address or followed a link
    Hyperlink

    In computing, a hyperlink, usually shortened to link, is a directly followable reference within a hypertext document.The area from which the hyperlink can be activated is called its anchor; its target is what the link points to, which may be another location within the same page or document, another page or document, or a...
     to the page.
  • The server responds with the "401" response code, providing the authentication realm and a randomly-generated, single-use value called a nonce
    Cryptographic nonce

    In security engineering, a nonce stands for number used once . It is often a randomness or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks....
    .
  • At this point, the client will present the authentication realm (typically a description of the computer or system being accessed) to the user and prompt for a user name and password. The user may decide to cancel at this point.
  • Once a user name and password have been supplied, the client re-sends the same request but adds an authentication header that includes the response code.
  • In this example, the server accepts the authentication and the page is returned. If the user name is invalid and/or the password is incorrect, the server might return the "401" response code and the client would prompt the user again.


Note: A client may already have the required user name and password without needing to prompt the user, e.g. if they have previously been stored by a web browser.

Client request (no authentication): 
GET /dir/index.html HTTP/1.0
Host: localhost


(followed by a new line
Newline

In computing, a newline is a special character or sequence of characters signifying the end of a line of text. The name comes from the fact that the next character after the newline will appear on a new line?that is, on the next line below the text, immediately proceeding the newline....
, in the form of a carriage return
Carriage return

Originally, carriage return was the term for the control character in Baudot code on a Teleprinter for end of line return to beginning of line and did not include line feed....
 followed by a line feed).

Server response: 
HTTP/1.0 401 Unauthorised
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
WWW-Authenticate: Digest realm="testrealm@host.com",
 qop="auth,auth-int",
 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
 opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 311



  
    Error
    
  
  
401 Unauthorised.


Client request (user name "Mufasa", password "Circle Of Life"): 
GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa",
      realm="testrealm@host.com",
      nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
      uri="/dir/index.html",
      qop=auth,
      nc=00000001,
      cnonce="0a4f113b",
      response="6629fae49393a05397450978507c4ef1",
      opaque="5ccc069c403ebaf9f0171e9517f40e41"


(followed by a blank line, as before).

Server response: 
HTTP/1.0 200 OK
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:27:03 GMT
Content-Type: text/html
Content-Length: 7984


(followed by a blank line and HTML text of the restricted page).

The "response" value is calculated in three steps, as follows. Where values are combined, they are delimited
Delimiter

A delimiter is a sequence of one or more character s used to specify the boundary between separate, independent regions in plain text or other data stream....
 by colon
Colon (punctuation)

The colon is a punctuation mark, consisting of two equally sized dots centered on the same vertical line....
 symbols.

  1. The MD5 hash of the combined user name, authentication realm and password is calculated. The result is referred to as HA1.
  2. The MD5 hash of the combined method and digest URI
    Uniform Resource Identifier

    In Information technology, a Uniform Resource Identifier is a Character string of Character s used to Identifier or name a Resource on the Internet....
     is calculated, e.g. of "GET" and "/dir/index.html". The result is referred to as HA2.
  3. The MD5 hash of the combined HA1 result, server nonce (nonce), request counter (nc), client nonce (cnonce), quality of protection code (qop) and HA2 result is calculated. The result is the "response" value provided by the client.


Since the server has the same information as the client, the response can be checked by performing the same calculation. In the example given above the result is formed as follows – where MD5 represents a function used to calculate an MD5 hash, backslashes represent a continuation and the quotes shown are not used in the calculation.

Completing the example given in RFC 2617 gives the following results for each step.

    HA1 = MD5( "Mufasa:testrealm@host.com:Circle Of Life" )
= 939e7578ed9e3c518a452acee763bce9

    HA2 = MD5( "GET:/dir/index.html" )
= 39aff3a2bab6126f332b942af96d3366

    Response = MD5( "939e7578ed9e3c518a452acee763bce9:\
     dcd98b7102dd2f0e8b11d0f600bfb0c093:\
     00000001:0a4f113b:auth:\
     39aff3a2bab6126f332b942af96d3366" )
     = 6629fae49393a05397450978507c4ef1


At this point the client may make another request, reusing the server nonce value (the server only issues a new nonce for each "401" response) but providing a new client nonce (cnonce). For subsequent requests, the hexadecimal request counter (nc) must be greater than the last value it used – otherwise an attacker could simply "replay
Replay attack

A replay attack is a form of Computer network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an Adversary who intercepts the data and retransmits it, possibly as part of a Spoofing attack by Internet Protocol packet substitution ....
" an old request with the same credentials. It is up to the server to ensure that the counter increases for each of the nonce values that it has issued, rejecting any bad requests appropriately. Obviously changing the method, URI and/or counter value will result in a different response value.

The server should remember nonce values that it has recently generated. It may also remember when each nonce value was issued, expiring them after a certain amount of time. If an expired value is used, the server should respond with the "401" status code and add stale=TRUE to the authentication header – indicating that the client should re-send with the new nonce provided, without prompting the user for another user name and password.

The server does not need to keep any expired nonce values – it can simply assume that any unrecognised values have expired. It is also possible for the server to only allow each nonce value to be returned once, although this forces the client to repeat every request. Note that expiring a server nonce immediately will not work, as the client would never get a chance to use it.

SIP Digest Authentication

SIP uses basically the same digest authentication algorithm. It is specified by .

Browser Implementation

Browser that have fully implemented the spec:
  • Amaya
  • Gecko
    Gecko (layout engine)

    Gecko is a layout engine currently developed by Mozilla Corporation, known as the layout engine of the Mozilla Firefox web browser, Mozilla Application Suite, Nvu, Mozilla Thunderbird and many more....
    -based:
    • Mozilla Application Suite
      Mozilla Application Suite

      The Mozilla Application Suite is a cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition by AOL....
    • Mozilla Firefox
      Mozilla Firefox

      Mozilla Firefox is a web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. Official versions are distributed under the terms of the proprietary EULA....
    • Netscape 7+
  • KHTML
    KHTML

    KHTML is the HTML layout engine developed by the KDE project. It is the engine used by the Konqueror web browser. A fork ed version of KHTML called WebKit is used by several web browsers, among them Safari and Google Chrome....
    - and WebKit
    WebKit

    WebKit is an application framework that provides a foundation upon which to build a web browser. WebKit was originally derived by Apple Inc. from the Konqueror browser?s KHTML software library for use as the engine of Mac OS X?s Safari web browser, and has now been further developed by individuals from the KDE project, Apple, Nokia, Google,...
    -based:
    • Konqueror
      Konqueror

      Konqueror is a web browser, file manager and file viewer designed as a core part of the KDE. It is developed by volunteers and can run on most Unix-like operating systems....
    • Google Chrome
      Google Chrome

      Google Chrome is a web browser developed by Google and based on the WebKit layout engine and application framework.In February 2009, it had a share of 1.15% of the web browser market....
    • Safari
      Safari (web browser)

      Safari is a web browser developed by Apple Inc.. First released as a beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3, commonly known as "OS X Panther." Apple has also made Safari the native browser for the iPhone OS....
  • Tasman
    Tasman (layout engine)

    Tasman is the name of a layout engine developed by Microsoft, introduced with the Macintosh version of Internet Explorer 5, a new feature in the development of Internet Explorer for Mac ....
    -based:
    • Internet Explorer for Mac
      Internet Explorer for Mac

      Internet Explorer for Mac was a Proprietary software web browser developed by Microsoft for the Macintosh platform. Initial versions were developed from the same code base as Internet Explorer....
  • Trident
    Trident (layout engine)

    Trident is the name of the layout engine for the Microsoft Windows version of Internet Explorer. It was first introduced with the release of Internet Explorer 4 in October 1997; it has been steadily upgraded and remains in use today....
    -based:
    • Internet Explorer 7+
      Internet Explorer 7

      Windows Internet Explorer 7 is a web browser released by Microsoft in October 2006. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser in more than 5 years....
       
  • Presto
    Presto (layout engine)

    Presto is a layout engine for the Opera developed by Opera Software. After several public betas and technical previews, it was released on January 28, 2003 in Opera 7.0 for Windows; it is the browser's current layout engine....
    -based:
    • Opera
      Opera (web browser)

      Opera is a web browser and Internet suite developed by the Opera Software company. Opera handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, IRC online chatting, downloading files via BitTorrent , and reading web feeds....
    • Opera Mobile
      Opera Mobile

      Opera Mobile is a web browser for smartphones and personal digital assistants developed by the Opera Software company. The first version of Opera Mobile was released in 2000 for the Psion Series 7 and Psion Netbook....
    • Opera Mini
      Opera Mini

      Opera Mini is a web browser designed primarily for mobile phones, but also for smartphones and personal digital assistants. It uses the Java ME platform and consequently requires that the mobile device be capable of running Java ME applications....
    • Nintendo DS Browser
      Nintendo DS Browser

      The Nintendo DS Browser is a version of the Opera web browser for use on the Nintendo DS, developed by Opera Software and Nintendo. The Nintendo DS Browser comes in separate versions for the Nintendo DS and the Nintendo DS Lite; this is due to differing physical size requirements for the memory expansion cartridge included with the browser....
    • Nokia 770 Browser
    • Sony Mylo 1
      Mylo (Sony)

      The mylo Internet Device is a device created and marketed by Sony for portable instant messaging and other Internet-based communications, browsing Internet web sites and playback and sharing of media files....
      's Browser
    • Wii
      Wii

      The Wii is a home video game console released by Nintendo. As a History of video game consoles console, the Wii primarily competes with Microsoft's Xbox 360 and Sony's PlayStation 3....
       Internet Channel Browser
A 2002 analysis by eWeek Labs concluded that Internet Explorer
Internet Explorer

Windows Internet Explorer , commonly abbreviated to IE, is a series of graphical user interface web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995....
 Version 5
Internet Explorer 5

Microsoft Internet Explorer 5 is a graphical web browser released in March 1999 by Microsoft, primarily for Microsoft Windows, but initially with versions available for Apple Macintosh, Sun Microsystems Solaris , and HP-UX....
 and Version 6
Internet Explorer 6

Microsoft Internet Explorer 6 , is a graphical user interface web browser developed by Microsoft and included as part of the Microsoft Windows XP and Windows Server 2003 lines of operating systems....
 implements digest authentication in a way that does not comply with RFC 2617. As a result, these versions of Internet Explorer cannot be used as a web client for a server that complies with the digest authentication standard.

See also

  • AKA (security)
    AKA (security)

    AKA stands for the Authentication and Key Agreement. It is a security protocol used in 3G networks.AKA is also used for one-time password generation mechanism for Digest_access_authentication access authentication....
  • Basic access authentication


External links

  • RFC 2617
  • RFC 2069 (obsolete)