Archive of UserLand's first discussion group, started October 5, 1998.
HTTP Digest Authentication
Author: André Radke Posted: 10/29/1999; 3:27:27 AM Topic: HTTP Digest Authentication Msg #: 12483 Prev/Next: 12482 / 12484
Why am I posting this...As Wes apparently already guessed, I am trying to implement a security scheme based on HTTP Digest Authentication. In the process, I made a few surprising discoveries.
Background
When using HTTP Basic Authentication, the username-password pair is effectively transmitted in the clear. An eavesdropper can easily obtain the password.
HTTP Digest Authentication defines a protocol that allows the client to prove to the server that it knows the correct password without having to send the password itself to the server. The client does an irreversible computation, using the password and a random value supplied by the server as input values. The result is transmitted to the server who does the same computation and authenticates the client if he arrives at the same value. Since the computation is irreversible, an eavesdropper can't obtain the password. (It's actually more complicated than that.)
Therefore, Digest Authentication is preferable over Basic Authentication for certain pages allowing you to perform certain actions on the server.
While implementing HTTP Digest Authentication in Frontier, I used the following browser versions for testing:
- Windows: Internet Explorer 5 and Communicator 4.7
- Mac: Internet Explorer 4.5, Communicator 4.5, and iCab Preview 1.7
Example 1: Allow Basic Authentication Only
Frontier's response to the initial request:
HTTP/1.1 401 Unauthorized Connection: close Content-Length: 157 Content-Type: text/html Date: Fri, 29 Oct 1999 09:24:10 GMT Server: UserLand Frontier/6.1b12-WinNT WWW-Authenticate: Basic realm="Control Panel"This works fine with all five browser. No surprises here.
Example 2: Allow Digest Authentication Only
Frontier's response to the initial request:
HTTP/1.1 401 Unauthorized Connection: close Content-Length: 157 Content-Type: text/html Date: Fri, 29 Oct 1999 09:11:14 GMT Server: UserLand Frontier/6.1b12-WinNT WWW-Authenticate: Digest realm="Control Panel", domain="/controlPanel", nonce="84e0a095cfd25153b2e4014ea87a0980", algorithm=MD5, qop="auth,auth-int"MSIE 5 for Windows sends the correct Authentication header and makes use of the "auth" option. Yeah!
MSIE 4.5 for MacOS sends the correct Authentication header but ignores the "auth" option. Okay.
Both versions of Communicator and iCab send an Authentication header for Basic authentication, transmitting the password in the clear, totally defeating the purpose of requiring Digest Authentication. Apparently, they don't support Digest authentication. But instead of sending the password in the clear, I had expected them to fail right away.
Example 3: Allow Basic and Digest Authentication
Frontier's response to the initial request:
HTTP/1.1 401 Unauthorized Connection: close Content-Length: 157 Content-Type: text/html Date: Fri, 29 Oct 1999 09:24:10 GMT Server: UserLand Frontier/6.1b12-WinNT WWW-Authenticate: Basic realm="Control Panel" WWW-Authenticate: Digest realm="Control Panel", domain="/controlPanel", nonce="15bb54af506016d4414a025d4c84e34c", algorithm=MD5, qop="auth,auth-int"As expected, both versions of Communicator and iCab send an Authentication header for Basic authentication which is the only option they seem to support.
Both versions of MSIE seemingly get confused about two authentication schemes being offered and choose Basic Authentication, the weaker of the two, even though RFC 2617 says they "MUST" choose the strongest option they support -- which is Digest Authentication as proven by the previous example.
Conclusion
Unless I am missing something, my options are either to require Digest Authentication exclusively, knowing that security is compromised if a user accidentally tries to authenticate with Communicator or iCab, or to offer both Basic and Digest Authentication, knowing that none of the browsers I tested is actually going to use the latter.
Based on these observations, I am tempted to conclude that HTTP Digest Authentication is currently useless for practical purposes.
Pointers
- RFC 2617: HTTP Basic and Digest Access Authentication
- RFC 2246: Transport Layer Security (TLS) Protocol 1.0
- Secure Sockets Layer (SSL) Protocol 3.0
There are responses to this message:
- Re: HTTP Digest Authentication, larry curtin, 10/29/1999; 11:25:06 AM
- Re: HTTP Digest Authentication, Wesley Felter, 10/29/1999; 1:24:49 PM
- Re: HTTP Digest Authentication, Pat Breitenbach, 4/11/2000; 9:54:27 AM
This page was archived on 6/13/2001; 4:53:15 PM.
© Copyright 1998-2001 UserLand Software, Inc.