Covering group: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>RonnieBrown
Group structure on a covering space: comment on the non-connected case
 
I swapped the order of 2 sentences. Logically one sentence should have preceded the other
 
Line 1: Line 1:
Hello friend oг relative. ʟet mе introduce myself. I am Priscilla. Ҭo base jump iѕ whаt love finishing. Managing people precisely what I do fоr cash. I cսrrently live іn Arkansas. You can find mу website Һere: http://bigdata.ihep.ac.cn/bigdata/view_profile.php?userid=498232<br><br>Feel free to surf to mʏ blog post; [http://bigdata.ihep.ac.cn/bigdata/view_profile.php?userid=498232 nettcasino]
{{HTTP}}
'''Digest access authentication''' is one of the agreed-upon methods a [[web server]] can use to negotiate credentials with a user's [[web browser]].  It applies a [[hash function]] to a [[password]] before sending it over the network, which is safer than [[basic access authentication]], which sends [[plaintext]].
 
Technically, digest authentication is an application of [[MD5]] [[cryptographic hash]]ing with usage of [[Cryptographic nonce|nonce]] values to prevent [[Replay_attack|replay attacks]]. It uses the [[Hypertext Transfer Protocol|HTTP]] protocol.
 
== Overview ==
 
Digest access authentication was originally specified by RFC 2069 (''An Extension to HTTP: Digest Access Authentication''). RFC 2069 specifies roughly a traditional digest authentication scheme with security maintained by a server-generated [[Cryptographic nonce|nonce]] value. The authentication response is formed as follows (where HA1, HA2, A1, A2 are names of string variables):
 
:<math>\mathrm{HA1} = \mathrm{MD5}\Big(\mathrm{A1}\Big) = \mathrm{MD5}\Big( \mathrm{username} : \mathrm{realm} : \mathrm{password} \Big)</math>
:<math>\mathrm{HA2} = \mathrm{MD5}\Big(\mathrm{A2}\Big) = \mathrm{MD5}\Big( \mathrm{method} : \mathrm{digestURI} \Big)</math>
:<math>\mathrm{response} = \mathrm{MD5}\Big( \mathrm{HA1} : \mathrm{nonce} : \mathrm{HA2} \Big) </math>
 
RFC 2069 was later replaced by RFC 2617 (''HTTP Authentication: Basic and Digest Access Authentication'').  RFC 2617 introduced a number of optional security enhancements to digest authentication; "quality of protection" (qop), nonce counter incremented by client, and a client-generated random nonce.  These enhancements are designed to protect against, for example, [[chosen-plaintext attack]] [[cryptanalysis]].
 
If the algorithm directive's value is "MD5" or unspecified, then HA1 is
 
:<math>\mathrm{HA1} = \mathrm{MD5}\Big(\mathrm{A1}\Big) = \mathrm{MD5}\Big( \mathrm{username} : \mathrm{realm} : \mathrm{password} \Big)</math>
 
If the algorithm directive's value is "MD5-sess", then HA1 is
 
:<math>\mathrm{HA1} = \mathrm{MD5}\Big(\mathrm{A1}\Big) = \mathrm{MD5}\Big(\mathrm{MD5}\Big( \mathrm{username} : \mathrm{realm} : \mathrm{password} \Big) : \mathrm{nonce} : \mathrm{cnonce} \Big)</math>
 
If the qop directive's value is "auth" or is unspecified, then HA2 is
 
:<math>\mathrm{HA2} = \mathrm{MD5}\Big(\mathrm{A2}\Big) = \mathrm{MD5}\Big( \mathrm{method} : \mathrm{digestURI} \Big)</math>
 
If the qop directive's value is "auth-int", then HA2 is
 
:<math>\mathrm{HA2} = \mathrm{MD5}\Big(\mathrm{A2}\Big) = \mathrm{MD5}\Big( \mathrm{method} : \mathrm{digestURI} : \mathrm {MD5}(entityBody)\Big)</math>
 
If the qop directive's value is "auth" or "auth-int", then compute the response as follows:
 
:<math>\mathrm{response} = \mathrm{MD5}\Big( \mathrm{HA1} : \mathrm{nonce} : \mathrm{nonceCount} : \mathrm{clientNonce} : \mathrm{qop} : \mathrm{HA2} \Big)</math>
 
If the qop directive is unspecified, then compute the response as follows:
 
:<math>\mathrm{response} = \mathrm{MD5}\Big( \mathrm{HA1} : \mathrm{nonce} : \mathrm{HA2} \Big) </math>
 
The above shows that when qop is not specified, the simpler RFC 2069 standard is followed.
 
== Impact of MD5 security on digest authentication ==
 
The MD5 calculations used in HTTP digest authentication is intended to be "[[one-way function|one way]]", meaning that it should be difficult to determine the original input when only the output is known.  If the password itself is too simple, however, then it may be possible to test all possible inputs and find a matching output (a [[brute-force attack]]) – perhaps aided by a dictionary or suitable look-up list.
 
The HTTP scheme was designed by [[Phillip Hallam-Baker]] at [[CERN]] in 1993 and does not incorporate subsequent improvements in authentication systems, such as the development of keyed-hash message authentication code ([[HMAC]]). Although the [[cryptography|cryptographic]] construction that is used is based on the [[MD5]] hash function, [[collision attack]]s were in 2004 generally believed to not affect applications where the plaintext (i.e. password) is not known.<ref name="CryptoRes-2004">{{cite web
  | title = Hash Collision Q&A
  | url = http://www.cryptography.com/cnews/hash.html
  | date = 2005-02-16
  | publisher = [[Cryptography Research]]
  | archiveurl = http://web.archive.org/web/20100306180648/http://www.cryptography.com/cnews/hash.html
  | archivedate = 2010-03-06
  | accessdate = 2013-01-05}} ''NOTE: Specific information not given; needs quote from exact version of this page originally cited.''</ref>{{citation needed|date=June 2010}}
However, claims in 2006<ref>{{cite web
| url=https://eprint.iacr.org/2006/187.pdf
| title=On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1
| author=Jongsung Kim, Alex Biryukov, Bart Preneel, Seokhie Hong
| publisher=[[International Association for Cryptologic Research|IACR]]}}</ref> cause some doubt over other MD5 applications as well. So far, however, MD5 collision attacks have not been shown to pose a threat to digest authentication, and the RFC 2617 allows servers to implement mechanisms to detect some collision and replay attacks.
 
== HTTP digest authentication considerations ==
=== Advantages ===
 
HTTP digest authentication is designed to be more secure than traditional digest authentication schemes; e.g., "significantly stronger than (e.g.) [[CRAM-MD5]] ..." (RFC 2617).
 
Some of the security strengths of HTTP digest authentication are:
 
* The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementations (e.g. [[JBoss]]<ref>{{cite web
| url=https://community.jboss.org/wiki/DIGESTAuth
| title=DIGEST Authentication (4.0.4+)
| author=Scott Stark
| date=2005-10-08
| publisher=[[JBoss]]}}</ref>) to store HA1 rather than the [[cleartext]] password.
* Client [[Cryptographic nonce|nonce]] was introduced in RFC 2617, which allows the client to prevent [[Chosen-plaintext attack]]s (which otherwise makes e.g. [[rainbow table]]s a threat to digest authentication schemes).
* Server nonce is allowed to contain timestamps. Therefore the server may inspect nonce attributes submitted by clients, to prevent replay attacks.
* Server is also allowed to maintain a list of recently issued or used server nonce values to prevent reuse.
 
=== Disadvantages ===
 
Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP [[basic access authentication]]. It is not, however, intended to replace strong authentication protocols, such as [[Public-key cryptography|public-key]] or [[Kerberos (protocol)|Kerberos]] authentication. 
 
In terms of security, there are several drawbacks with digest access authentication:
* Many of the security options in RFC 2617 are optional. If quality-of-protection (qop) is not specified by the server, the client will operate in a security-reduced legacy RFC 2069 mode.
* Digest access authentication is vulnerable to a [[Man-in-the-middle attack|man-in-the-middle (MitM) attack]]. For example, a MitM attacker could tell clients to use basic access authentication or legacy RFC2069 digest access authentication mode. To extend this further, digest access authentication provides no mechanism for clients to verify the server's identity.
* Some servers require passwords to be stored using reversible encryption. However, it is possible to instead store the digested value of the username, realm, and password.<ref>{{cite web
| url=https://tools.ietf.org/html/rfc2617#section-4.13
| title=HTTP Authentication: Basic and Digest Access Authentication: Storing passwords
| date=June 1999
| publisher=[[IETF]]}}</ref>
* It prevents the use of a strong password hash (such as [[bcrypt]]) when storing passwords (since either the password, or the digested username, realm and password must be recoverable).
 
Also, since MD5 algorithm is not allowed in [[FIPS_140-2|FIPS]], HTTP Digest authentication will not work with FIPS-certified crypto modules. For the list of FIPS approved algorithms, please see <ref name="FIPS approved functions">{{cite web|url=http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf}}</ref>
 
=== Alternative authentication protocols ===
 
Some strong authentication protocols for web-based applications include:
* [[Public key]] authentication (usually implemented with [[HTTPS]] / [[Secure Sockets Layer|SSL]] client certificates).
* [[Kerberos (protocol)|Kerberos]] or [[SPNEGO]] authentication, primarily employed by [[Microsoft IIS]] running configured for [[Integrated Windows Authentication]] (IWA).
* [[Secure Remote Password protocol]] (preferably within the [[HTTPS]] / [[Transport Layer Security|TLS]] layer).
 
Weak cleartext protocols are also often in use:
* [[Basic access authentication]] scheme
* [[HTTP+HTML form-based authentication]]
These weak cleartext protocols used together with HTTPS network encryption resolve many of the threats that digest access authentication is designed to prevent.
 
== Example with explanation ==
 
The following example was originally given in RFC 2617 and is expanded here to show the full text expected for each request and response.  Note that only the "auth" (authentication) quality of protection code is covered – at the time of writing, only the [[Opera (web browser)|Opera]] and [[Konqueror]] [[web browser]]s are known to support "auth-int" (authentication with integrity protection).  Although the specification mentions HTTP version 1.1, the scheme can be successfully added to a version 1.0 server, as shown here.
 
This typical transaction consists of the following steps.
 
* The client asks for a page that requires authentication but does not provide a [[username]] and password.  Typically this is because the user simply entered the address or followed a [[hyperlink|link]] to the page.
* The server responds with the [[HTTP_401#4xx_Client_Error|401]] "Unauthorized" response code, providing the authentication realm and a randomly generated, single-use value called a [[cryptographic nonce|nonce]].
* At this point, the browser will present the authentication realm (typically a description of the computer or system being accessed) to the user and prompt for a username and password.  The user may decide to cancel at this point.
* Once a username and password have been supplied, the client re-sends the same request but adds an authentication header that includes the response code.
* In this example, the server accepts the authentication and the page is returned.  If the username is invalid and/or the password is incorrect, the server might return the "401" response code and the client would prompt the user again.
 
Note: A client may already have the required username and password without needing to prompt the user, e.g. if they have previously been stored by a web browser.
 
----
 
; Client request (no authentication):
 
GET /dir/index.html HTTP/1.0
Host: localhost
 
(followed by a [[Newline|new line]], in the form of a [[carriage return]] followed by a [[line feed]]).<ref>{{cite web
| url=http://www.w3.org/Protocols/HTTP/1.0/spec.html#Request
| title=Hypertext Transfer Protocol -- HTTP/1.0: Request
| author=[[Tim Berners-Lee]], [[Roy Fielding]], [[Henrik Frystyk Nielsen]]
| date=1996-02-19
| publisher=[[W3C]]}}</ref>
 
; Server response:
 
HTTP/1.0 401 Unauthorized
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
WWW-Authenticate: Digest realm="testrealm@host.com",
                        qop="auth,auth-int",
                        nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                        opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
  <HEAD>
    <TITLE>Error</TITLE>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
  </HEAD>
  <nowiki><BODY><H1>401 Unauthorized.</H1></BODY></nowiki>
</HTML>
 
; Client request (username "Mufasa", password "Circle Of Life"):
 
GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa",
                      realm="testrealm@host.com",
                      nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                      uri="/dir/index.html",
                      qop=auth,
                      nc=00000001,
                      cnonce="0a4f113b",
                      response="6629fae49393a05397450978507c4ef1",
                      opaque="5ccc069c403ebaf9f0171e9517f40e41"
 
(followed by a blank line, as before).
 
; Server response:
 
HTTP/1.0 200 OK
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:27:03 GMT
Content-Type: text/html
Content-Length: 7984
 
(followed by a blank line and HTML text of the restricted page).
 
----
 
The "response" value is calculated in three steps, as follows. Where values are combined, they are [[delimiter|delimited]] by [[colon (punctuation)|colon]] symbols.
 
# The MD5 hash of the combined username, authentication realm and password is calculated. The result is referred to as HA1.
# The MD5 hash of the combined method and digest [[Uniform Resource Identifier|URI]] is calculated, e.g. of <code>"GET"</code> and <code>"/dir/index.html"</code>.  The result is referred to as HA2.
# The MD5 hash of the combined HA1 result, server nonce (nonce), request counter (nc), client nonce (cnonce), quality of protection code (qop) and HA2 result is calculated.  The result is the "response" value provided by the client.
 
Since the server has the same information as the client, the response can be checked by performing the same calculation.  In the example given above the result is formed as follows, where <code>MD5()</code> represents a function used to calculate an MD5 hash, backslashes represent a continuation and the quotes shown are not used in the calculation.
 
Completing the example given in RFC 2617 gives the following results for each step.
 
    HA1 = MD5( "Mufasa:testrealm@host.com:Circle Of Life" )
        = 939e7578ed9e3c518a452acee763bce9
    HA2 = MD5( "GET:/dir/index.html" )
        = 39aff3a2bab6126f332b942af96d3366
    Response = MD5( "939e7578ed9e3c518a452acee763bce9:\
                    dcd98b7102dd2f0e8b11d0f600bfb0c093:\
                    00000001:0a4f113b:auth:\
                    39aff3a2bab6126f332b942af96d3366" )
            = 6629fae49393a05397450978507c4ef1
 
At this point the client may make another request, reusing the server nonce value (the server only issues a new nonce for each "401" response) but providing a new client nonce (cnonce).  For subsequent requests, the hexadecimal request counter (nc) must be greater than the last value it used – otherwise an attacker could simply "[[replay attack|replay]]" an old request with the same credentials.  It is up to the server to ensure that the counter increases for each of the nonce values that it has issued, rejecting any bad requests appropriately.  Obviously changing the method, URI and/or counter value will result in a different response value.
 
The server should remember nonce values that it has recently generated.  It may also remember when each nonce value was issued, expiring them after a certain amount of time.  If an expired value is used, the server should respond with the "401" status code and add <code>stale=TRUE</code> to the authentication header, indicating that the client should re-send with the new nonce provided, without prompting the user for another username and password.
 
The server does not need to keep any expired nonce values – it can simply assume that any unrecognised values have expired.  It is also possible for the server to only allow each nonce value to be returned once, although this forces the client to repeat every request.  Note that expiring a server nonce immediately will not work, as the client would never get a chance to use it.
 
== The .htdigest file ==
 
.htdigest is a [[Flat file database|flat-file]] used to store usernames, realm and passwords for digest authentication of [[Apache HTTP Server]]. The name of the file is given in the [[.htaccess]] configuration, and can be anything, but ".htdigest" is the canonical name. The file name starts with a dot, because most [[Unix-like]] operating systems consider any file that begins with dot to be hidden. This file is often maintained with the shell command "htdigest" which can add, delete, and update users, and will properly encode the password for use.
 
The "htdigest" command is found in the '''apache2-utils''' package on [[dpkg]] package management systems and the '''httpd-tools''' package on [[RPM Package Manager|RPM package management]] systems.
 
;Syntax of the htdigest command [http://httpd.apache.org/docs/2.2/programs/htdigest.html]
htdigest [ -c ] ''passwdfile realm username''
 
;Format of the .htdigest file
user1:Realm:5ea41921c65387d904834f8403185412
user2:Realm:734418f1e487083dc153890208b79379
 
== SIP digest authentication ==
 
[[Session Initiation Protocol|SIP]] uses basically the same digest authentication algorithm. It is specified by RFC 3261.
 
== Browser implementation ==
 
Most browsers have substantially implemented the spec, some barring certain features such as auth-int checking or the MD5-sess algorithm. If the server requires that these optional features be handled, clients may not be able to authenticate (though note mod_auth_digest for Apache does not fully implement RFC 2617 either).
 
* [[Amaya (web browser)|Amaya]]
* [[Gecko (layout engine)|Gecko]]-based: (not including auth-int<ref>{{cite web
| url=https://bugzilla.mozilla.org/show_bug.cgi?id=168942
| title=Bug 168942 - Digest authentication with integrity protection
| date=2002-09-16
| author=Emanuel Corthay
| work=[[Mozilla]]}}</ref>)
** [[Mozilla Application Suite]]
** [[Mozilla Firefox]]
** [[Netscape (version 7)|Netscape 7+]]
* [[ICab|iCab 3.0.3+]]
* [[KHTML]]- and [[WebKit]]-based: (not including auth-int<ref>{{cite web
| url=https://secure.vsecurity.com/download/papers/HTTPDigestIntegrity.pdf
| title=HTTP Digest Integrity: Another look, in light of recent attacks
| author=Timothy D. Morgan
| date=2010-01-05
| publisher=vsecurity.com}}</ref>)
** [[iCab]] 4
** [[Konqueror]]
** [[Google Chrome]]
** [[Safari (web browser)|Safari]]
* [[Tasman (layout engine)|Tasman]]-based:
** [[Internet Explorer for Mac]]
* [[Trident (layout engine)|Trident]]-based:
** [[Internet Explorer 5|Internet Explorer 5+]] <ref>{{cite web
| url=http://technet.microsoft.com/en-us/library/cc738318(v=ws.10).aspx
| title=TechNet Digest Authentication
| date=August 2013}}</ref> (not including auth-int)
* [[Presto (layout engine)|Presto]]-based:
** [[Opera (web browser)|Opera]]
** [[Opera Mobile]]
** [[Opera Mini]]
** [[Nintendo DS Browser]]
** [[Nokia 770]] Browser
** [[mylo (Sony)|Sony Mylo 1]]'s Browser
** [[Wii]] [[Internet Channel]] Browser
 
== See also ==
* [[AKA (security)]]
* [[Basic access authentication]]
 
== References ==
{{reflist}}
 
== External links ==
* RFC 2617
* RFC 2069 (obsolete)
 
[[Category:Cryptographic protocols]]
[[Category:Hypertext Transfer Protocol]]
[[Category:Request for Comments]]
 
[[fr:HTTP Authentification#Méthode Digest]]
[[de:HTTP-Authentifizierung#Digest Access Authentication]]

Latest revision as of 18:26, 31 October 2013

Template:HTTP Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a user's web browser. It applies a hash function to a password before sending it over the network, which is safer than basic access authentication, which sends plaintext.

Technically, digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.

Overview

Digest access authentication was originally specified by RFC 2069 (An Extension to HTTP: Digest Access Authentication). RFC 2069 specifies roughly a traditional digest authentication scheme with security maintained by a server-generated nonce value. The authentication response is formed as follows (where HA1, HA2, A1, A2 are names of string variables):

HA1=MD5(A1)=MD5(username:realm:password)
HA2=MD5(A2)=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)

RFC 2069 was later replaced by RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication). RFC 2617 introduced a number of optional security enhancements to digest authentication; "quality of protection" (qop), nonce counter incremented by client, and a client-generated random nonce. These enhancements are designed to protect against, for example, chosen-plaintext attack cryptanalysis.

If the algorithm directive's value is "MD5" or unspecified, then HA1 is

HA1=MD5(A1)=MD5(username:realm:password)

If the algorithm directive's value is "MD5-sess", then HA1 is

HA1=MD5(A1)=MD5(MD5(username:realm:password):nonce:cnonce)

If the qop directive's value is "auth" or is unspecified, then HA2 is

HA2=MD5(A2)=MD5(method:digestURI)

If the qop directive's value is "auth-int", then HA2 is

HA2=MD5(A2)=MD5(method:digestURI:MD5(entityBody))

If the qop directive's value is "auth" or "auth-int", then compute the response as follows:

response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)

If the qop directive is unspecified, then compute the response as follows:

response=MD5(HA1:nonce:HA2)

The above shows that when qop is not specified, the simpler RFC 2069 standard is followed.

Impact of MD5 security on digest authentication

The MD5 calculations used in HTTP digest authentication is intended to be "one way", meaning that it should be difficult to determine the original input when only the output is known. If the password itself is too simple, however, then it may be possible to test all possible inputs and find a matching output (a brute-force attack) – perhaps aided by a dictionary or suitable look-up list.

The HTTP scheme was designed by Phillip Hallam-Baker at CERN in 1993 and does not incorporate subsequent improvements in authentication systems, such as the development of keyed-hash message authentication code (HMAC). Although the cryptographic construction that is used is based on the MD5 hash function, collision attacks were in 2004 generally believed to not affect applications where the plaintext (i.e. password) is not known.[1]Potter or Ceramic Artist Truman Bedell from Rexton, has interests which include ceramics, best property developers in singapore developers in singapore and scrabble. Was especially enthused after visiting Alejandro de Humboldt National Park. However, claims in 2006[2] cause some doubt over other MD5 applications as well. So far, however, MD5 collision attacks have not been shown to pose a threat to digest authentication, and the RFC 2617 allows servers to implement mechanisms to detect some collision and replay attacks.

HTTP digest authentication considerations

Advantages

HTTP digest authentication is designed to be more secure than traditional digest authentication schemes; e.g., "significantly stronger than (e.g.) CRAM-MD5 ..." (RFC 2617).

Some of the security strengths of HTTP digest authentication are:

  • The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementations (e.g. JBoss[3]) to store HA1 rather than the cleartext password.
  • Client nonce was introduced in RFC 2617, which allows the client to prevent Chosen-plaintext attacks (which otherwise makes e.g. rainbow tables a threat to digest authentication schemes).
  • Server nonce is allowed to contain timestamps. Therefore the server may inspect nonce attributes submitted by clients, to prevent replay attacks.
  • Server is also allowed to maintain a list of recently issued or used server nonce values to prevent reuse.

Disadvantages

Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP basic access authentication. It is not, however, intended to replace strong authentication protocols, such as public-key or Kerberos authentication.

In terms of security, there are several drawbacks with digest access authentication:

  • Many of the security options in RFC 2617 are optional. If quality-of-protection (qop) is not specified by the server, the client will operate in a security-reduced legacy RFC 2069 mode.
  • Digest access authentication is vulnerable to a man-in-the-middle (MitM) attack. For example, a MitM attacker could tell clients to use basic access authentication or legacy RFC2069 digest access authentication mode. To extend this further, digest access authentication provides no mechanism for clients to verify the server's identity.
  • Some servers require passwords to be stored using reversible encryption. However, it is possible to instead store the digested value of the username, realm, and password.[4]
  • It prevents the use of a strong password hash (such as bcrypt) when storing passwords (since either the password, or the digested username, realm and password must be recoverable).

Also, since MD5 algorithm is not allowed in FIPS, HTTP Digest authentication will not work with FIPS-certified crypto modules. For the list of FIPS approved algorithms, please see [5]

Alternative authentication protocols

Some strong authentication protocols for web-based applications include:

Weak cleartext protocols are also often in use:

These weak cleartext protocols used together with HTTPS network encryption resolve many of the threats that digest access authentication is designed to prevent.

Example with explanation

The following example was originally given in RFC 2617 and is expanded here to show the full text expected for each request and response. Note that only the "auth" (authentication) quality of protection code is covered – at the time of writing, only the Opera and Konqueror web browsers are known to support "auth-int" (authentication with integrity protection). Although the specification mentions HTTP version 1.1, the scheme can be successfully added to a version 1.0 server, as shown here.

This typical transaction consists of the following steps.

  • The client asks for a page that requires authentication but does not provide a username and password. Typically this is because the user simply entered the address or followed a link to the page.
  • The server responds with the 401 "Unauthorized" response code, providing the authentication realm and a randomly generated, single-use value called a nonce.
  • At this point, the browser will present the authentication realm (typically a description of the computer or system being accessed) to the user and prompt for a username and password. The user may decide to cancel at this point.
  • Once a username and password have been supplied, the client re-sends the same request but adds an authentication header that includes the response code.
  • In this example, the server accepts the authentication and the page is returned. If the username is invalid and/or the password is incorrect, the server might return the "401" response code and the client would prompt the user again.

Note: A client may already have the required username and password without needing to prompt the user, e.g. if they have previously been stored by a web browser.


Client request (no authentication)
GET /dir/index.html HTTP/1.0
Host: localhost

(followed by a new line, in the form of a carriage return followed by a line feed).[6]

Server response
HTTP/1.0 401 Unauthorized
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
WWW-Authenticate: Digest realm="testrealm@host.com",
                        qop="auth,auth-int",
                        nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                        opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
  <HEAD>
    <TITLE>Error</TITLE>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
  </HEAD>
  <BODY><H1>401 Unauthorized.</H1></BODY>
</HTML>
Client request (username "Mufasa", password "Circle Of Life")
GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa",
                     realm="testrealm@host.com",
                     nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                     uri="/dir/index.html",
                     qop=auth,
                     nc=00000001,
                     cnonce="0a4f113b",
                     response="6629fae49393a05397450978507c4ef1",
                     opaque="5ccc069c403ebaf9f0171e9517f40e41"

(followed by a blank line, as before).

Server response
HTTP/1.0 200 OK
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:27:03 GMT
Content-Type: text/html
Content-Length: 7984

(followed by a blank line and HTML text of the restricted page).


The "response" value is calculated in three steps, as follows. Where values are combined, they are delimited by colon symbols.

  1. The MD5 hash of the combined username, authentication realm and password is calculated. The result is referred to as HA1.
  2. The MD5 hash of the combined method and digest URI is calculated, e.g. of "GET" and "/dir/index.html". The result is referred to as HA2.
  3. The MD5 hash of the combined HA1 result, server nonce (nonce), request counter (nc), client nonce (cnonce), quality of protection code (qop) and HA2 result is calculated. The result is the "response" value provided by the client.

Since the server has the same information as the client, the response can be checked by performing the same calculation. In the example given above the result is formed as follows, where MD5() represents a function used to calculate an MD5 hash, backslashes represent a continuation and the quotes shown are not used in the calculation.

Completing the example given in RFC 2617 gives the following results for each step.

   HA1 = MD5( "Mufasa:testrealm@host.com:Circle Of Life" )
       = 939e7578ed9e3c518a452acee763bce9

   HA2 = MD5( "GET:/dir/index.html" )
       = 39aff3a2bab6126f332b942af96d3366

   Response = MD5( "939e7578ed9e3c518a452acee763bce9:\
                    dcd98b7102dd2f0e8b11d0f600bfb0c093:\
                    00000001:0a4f113b:auth:\
                    39aff3a2bab6126f332b942af96d3366" )
            = 6629fae49393a05397450978507c4ef1

At this point the client may make another request, reusing the server nonce value (the server only issues a new nonce for each "401" response) but providing a new client nonce (cnonce). For subsequent requests, the hexadecimal request counter (nc) must be greater than the last value it used – otherwise an attacker could simply "replay" an old request with the same credentials. It is up to the server to ensure that the counter increases for each of the nonce values that it has issued, rejecting any bad requests appropriately. Obviously changing the method, URI and/or counter value will result in a different response value.

The server should remember nonce values that it has recently generated. It may also remember when each nonce value was issued, expiring them after a certain amount of time. If an expired value is used, the server should respond with the "401" status code and add stale=TRUE to the authentication header, indicating that the client should re-send with the new nonce provided, without prompting the user for another username and password.

The server does not need to keep any expired nonce values – it can simply assume that any unrecognised values have expired. It is also possible for the server to only allow each nonce value to be returned once, although this forces the client to repeat every request. Note that expiring a server nonce immediately will not work, as the client would never get a chance to use it.

The .htdigest file

.htdigest is a flat-file used to store usernames, realm and passwords for digest authentication of Apache HTTP Server. The name of the file is given in the .htaccess configuration, and can be anything, but ".htdigest" is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with dot to be hidden. This file is often maintained with the shell command "htdigest" which can add, delete, and update users, and will properly encode the password for use.

The "htdigest" command is found in the apache2-utils package on dpkg package management systems and the httpd-tools package on RPM package management systems.

Syntax of the htdigest command [1]
htdigest [ -c ] passwdfile realm username
Format of the .htdigest file
user1:Realm:5ea41921c65387d904834f8403185412
user2:Realm:734418f1e487083dc153890208b79379

SIP digest authentication

SIP uses basically the same digest authentication algorithm. It is specified by RFC 3261.

Browser implementation

Most browsers have substantially implemented the spec, some barring certain features such as auth-int checking or the MD5-sess algorithm. If the server requires that these optional features be handled, clients may not be able to authenticate (though note mod_auth_digest for Apache does not fully implement RFC 2617 either).

See also

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

External links

  • RFC 2617
  • RFC 2069 (obsolete)

fr:HTTP Authentification#Méthode Digest de:HTTP-Authentifizierung#Digest Access Authentication