Archive of UserLand's first discussion group, started October 5, 1998.

HTTP Digest Authentication

Author:André Radke
Posted:10/29/1999; 3:27:27 AM
Topic:HTTP Digest Authentication
Msg #:12483
Prev/Next:12482 / 12484

Why am I posting this...

As Wes apparently already guessed, I am trying to implement a security scheme based on HTTP Digest Authentication. In the process, I made a few surprising discoveries.

Background

When using HTTP Basic Authentication, the username-password pair is effectively transmitted in the clear. An eavesdropper can easily obtain the password.

HTTP Digest Authentication defines a protocol that allows the client to prove to the server that it knows the correct password without having to send the password itself to the server. The client does an irreversible computation, using the password and a random value supplied by the server as input values. The result is transmitted to the server who does the same computation and authenticates the client if he arrives at the same value. Since the computation is irreversible, an eavesdropper can't obtain the password. (It's actually more complicated than that.)

Therefore, Digest Authentication is preferable over Basic Authentication for certain pages allowing you to perform certain actions on the server.

While implementing HTTP Digest Authentication in Frontier, I used the following browser versions for testing:

Example 1: Allow Basic Authentication Only

Frontier's response to the initial request:

	HTTP/1.1 401 Unauthorized
	Connection: close
	Content-Length: 157
	Content-Type: text/html
	Date: Fri, 29 Oct 1999 09:24:10 GMT
	Server: UserLand Frontier/6.1b12-WinNT
	WWW-Authenticate: Basic realm="Control Panel"

This works fine with all five browser. No surprises here.

Example 2: Allow Digest Authentication Only

Frontier's response to the initial request:

	HTTP/1.1 401 Unauthorized
	Connection: close
	Content-Length: 157
	Content-Type: text/html
	Date: Fri, 29 Oct 1999 09:11:14 GMT
	Server: UserLand Frontier/6.1b12-WinNT
	WWW-Authenticate: Digest realm="Control Panel", domain="/controlPanel", nonce="84e0a095cfd25153b2e4014ea87a0980", algorithm=MD5, qop="auth,auth-int"

MSIE 5 for Windows sends the correct Authentication header and makes use of the "auth" option. Yeah!

MSIE 4.5 for MacOS sends the correct Authentication header but ignores the "auth" option. Okay.

Both versions of Communicator and iCab send an Authentication header for Basic authentication, transmitting the password in the clear, totally defeating the purpose of requiring Digest Authentication. Apparently, they don't support Digest authentication. But instead of sending the password in the clear, I had expected them to fail right away.

Example 3: Allow Basic and Digest Authentication

Frontier's response to the initial request:

	HTTP/1.1 401 Unauthorized
	Connection: close
	Content-Length: 157
	Content-Type: text/html
	Date: Fri, 29 Oct 1999 09:24:10 GMT
	Server: UserLand Frontier/6.1b12-WinNT
	WWW-Authenticate: Basic realm="Control Panel"
	WWW-Authenticate: Digest realm="Control Panel", domain="/controlPanel", nonce="15bb54af506016d4414a025d4c84e34c", algorithm=MD5, qop="auth,auth-int"

As expected, both versions of Communicator and iCab send an Authentication header for Basic authentication which is the only option they seem to support.

Both versions of MSIE seemingly get confused about two authentication schemes being offered and choose Basic Authentication, the weaker of the two, even though RFC 2617 says they "MUST" choose the strongest option they support -- which is Digest Authentication as proven by the previous example.

Conclusion

Unless I am missing something, my options are either to require Digest Authentication exclusively, knowing that security is compromised if a user accidentally tries to authenticate with Communicator or iCab, or to offer both Basic and Digest Authentication, knowing that none of the browsers I tested is actually going to use the latter.

Based on these observations, I am tempted to conclude that HTTP Digest Authentication is currently useless for practical purposes.

Pointers




There are responses to this message:


This page was archived on 6/13/2001; 4:53:15 PM.

© Copyright 1998-2001 UserLand Software, Inc.