authentication
Click on the red underlined text to get to the source
... The protocol referred to as "HTTP/1.0" includes specification for a
Basic Access Authentication scheme[1]. This scheme is not considered
to be a secure method ...
... 1]. This scheme is not considered
to be a secure method of user authentication, as the user name and
password ...
... password are passed over the network in an unencrypted form. A
specification for a new authentication scheme is needed for future
versions of the HTTP ...
... versions of the HTTP protocol. This document provides specification
for such a scheme, referred to as "Digest Access Authentication".
The Digest Access Authentication ...
... Access Authentication".
The Digest Access Authentication scheme is not intended to be a
complete answer to the need for security in the World Wide Web ...
... encryption of object content. The intent is simply
to create a weak access authentication method which avoids the most
serious flaws of Basic authentication ...
... access authentication method which avoids the most
serious flaws of Basic authentication.
It is proposed that this access authentication ...
... Basic authentication.
It is proposed that this access authentication scheme be included in
the proposed HTTP/1.1 specification.
...
...
Like Basic Access Authentication, the Digest scheme is based on a
simple challenge-response paradigm. The Digest scheme challenges
...
...
The digest authentication scheme described in this document suffers
from many known limitations. It is intended as a replacement for
basic authentication ...
... digest authentication scheme described in this document suffers
from many known limitations. It is intended as a replacement for
basic authentication and nothing more. It is a password-based system
and (on the server side ...
... scheme. Nevertheless it is better than nothing, better than what is
commonly used with telnet and ftp, and better than Basic
authentication.
...
... Digest Access Authentication Scheme ...
...
The Digest Access Authentication scheme is conceptually similar to
the Basic scheme. The formats of the modified WWW-Authenticate
...
... The Digest Access Authentication scheme is conceptually similar to
the Basic scheme. The formats of the modified WWW-Authenticate
header ...
... HTTP/1.1 specification, section
2.1. In addition, a new header, Authentication-info, is specified.
...
... The WWW-Authenticate Response Header ...
... header is not sent, the server responds with
a "401 Unauthorized" status code, and a WWW-Authenticate header,
which is defined as follows:
...
... which is defined as follows:
WWW-Authenticate = "WWW-Authenticate" ":" "Digest"
digest-challenge
...
...
WWW-Authenticate = "WWW-Authenticate" ":" "Digest"
digest-challenge
...
... password to use. This string should contain at least the name of
the host performing the authentication and might additionally
indicate the collection of users who might have access. An example
might be "registered_users@gotham.news.com". The realm is a
...
... client could use this information to know the
set of URIs for which the same authentication information should be
sent. The URIs in this list may exist on different servers. If
...
... nonce after receiving the
client authentication header and reject the request if it did not
match the nonce ...
... but MUST first revalidate it with the origin server, using the
request headers from the new request to allow the origin server to
authenticate the new request. Alternatively, if the original
response included the "public" Cache-control directive, the response
...
...
When authentication succeeds, the Server may optionally provide a
Authentication-info header ...
... When authentication succeeds, the Server may optionally provide a
Authentication-info header indicating that the server wants to
...
... header indicating that the server wants to
communicate some information regarding the successful authentication
(such as an entity digest or a new nonce ...
... optional.
AuthenticationInfo = "Authentication-info" ":"
1#( digest | nextnonce )
...
... nonce the server wishes
the client to use for the next authentication response. Note that
either field is optional. In particular the server may send the
Authentication ...
... authentication response. Note that
either field is optional. In particular the server may send the
Authentication-info header with only the nextnonce field as a means
of implementing one-time nonces ...
... the client is strongly encouraged to use it for the next WWW-
Authenticate header. Failure of the client to do so may result in a
...
... header. Failure of the client to do so may result in a
request to re-authenticate from the server with the "stale=TRUE."
...
... As with the basic scheme, proxies must be completely transparent in
the Digest access authentication scheme. That is, they must forward
the WWW-Authenticate, Authentication ...
... the Digest access authentication scheme. That is, they must forward
the WWW-Authenticate, Authentication-info and Authorization headers ...
... access authentication scheme. That is, they must forward
the WWW-Authenticate, Authentication-info and Authorization headers
...
... headers
untouched. If a proxy wants to authenticate a client before a request
is forwarded to the server, it can be done using the Proxy ...
... is forwarded to the server, it can be done using the Proxy-
Authenticate and Proxy-Authorization headers ...
...
It is possible that a server may want to require Digest as its
authentication method, even if the server does not know that the
client supports it. A client ...
... client supports it. A client is encouraged to fail gracefully if the
server specifies any authentication scheme it cannot handle.
...
...
The digest authentication scheme may also be used for authenticating
users to proxies, proxies ...
... transactions for proxy
authentication are very similar to those already described. Upon
receiving a request which requires authentication ...
... authentication are very similar to those already described. Upon
receiving a request which requires authentication, the proxy/server
must issue the "HTTP/1.1 ...
... where digest-response is as defined above in section 2.1. When
authentication succeeds, the Server may optionally provide a Proxy-
Authentication ...
... authentication succeeds, the Server may optionally provide a Proxy-
Authentication-info header of the form
...
... Proxy-Authentication-info = "Proxy-Authentication-info" ":" nextnonce
where nextnonce has the same semantics ...
... where nextnonce has the same semantics as the nextnonce field in the
Authentication-info header described above in section 2.1.
...
...
Note that in principle a client could be asked to authenticate itself
to both a proxy and an end-server. It might receive an "HTTP/1.1 ...
... HTTP/1.1 401
Unauthorized" header followed by both a WWW-Authenticate and a
Proxy-Authenticate ...
... WWW-Authenticate and a
Proxy-Authenticate header. However, it can never receive more than
one Proxy ...
... header. However, it can never receive more than
one Proxy-Authenticate header since such headers are only for
...
...
Digest Authentication does not provide a strong authentication
mechanism. That is not its intent. It is intended solely to replace
a much weaker and even more dangerous authentication mechanism ...
...
Digest Authentication does not provide a strong authentication
mechanism. That is not its intent. It is intended solely to replace
a much weaker and even more dangerous authentication mechanism: Basic
Authentication ...
... Digest Authentication does not provide a strong authentication
mechanism. That is not its intent. It is intended solely to replace
a much weaker and even more dangerous authentication mechanism: Basic
Authentication. An important design constraint is that the new
...
... authentication
mechanism. That is not its intent. It is intended solely to replace
a much weaker and even more dangerous authentication mechanism: Basic
Authentication. An important design constraint is that the new
authentication ...
... Basic
Authentication. An important design constraint is that the new
authentication scheme be free of patent and export restrictions.
Most needs for secure HTTP ...
... Most needs for secure HTTP transactions cannot be met by Digest
Authentication. For those needs SSL or SHTTP are more appropriate
protocols. In particular digest authentication ...
... Digest
Authentication. For those needs SSL or SHTTP are more appropriate
protocols. In particular digest authentication cannot be used for
any transaction requiring encrypted ...
... transaction requiring encrypted content. Nevertheless many
functions remain for which digest authentication is both useful and
appropriate.
...
... Comparison with Basic Authentication ...
...
Both Digest and Basic Authentication are very much on the weak end of
the security strength spectrum. But a comparison ...
... database whose use is
restricted to paying subscribers. With Basic authentication an
eavesdropper can obtain the password of the user. This not only
...
... password.
By contrast, with Digest Authentication the eavesdropper only gets
access to the transaction in question and not to the user's password ...
...
A replay attack against digest authentication would usually be
pointless for a simple GET request since an eavesdropper would
already have seen the only document he could obtain with a replay.
...
... client response and the server will only deliver that document. By
contrast under Basic Authentication once the eavesdropper has the
user's password, any document protected by that password ...
... list of the values of used digests, a server would hash these values
and require re-authentication whenever a hash collision occurs.
...
... integrity
of the posted data. Alternatively, a server may choose to allow
digest authentication only with GET requests. Responsible server
implementors will document the risks described here as they pertain
...
...
Both Basic and Digest authentication are vulnerable to "man in the
middle" attacks, for example, from a hostile or compromised proxy ...
... attack, clients should
remember if a site has used Digest authentication in the past, and
warn the user if the site stops using it. It might also be a good
idea for the browser to be configured to demand Digest authentication ...
... Digest authentication in the past, and
warn the user if the site stops using it. It might also be a good
idea for the browser to be configured to demand Digest authentication
in general, or from specific sites.
...
... client wanted. Of course, this
is still much harder than a comparable attack against Basic
Authentication.
There are several attacks ...
... There are several attacks on the "digest" field in the
Authentication-info header. A simple but effective attack is just to
...
...
Basic Authentication is vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that she is connecting to a
...
... password, store it away for later use, and feign
an error. This type of attack is more difficult with Digest
Authentication -- but the client must know to demand that Digest
authentication be used, perhaps using some of the techniques
...
... attack is more difficult with Digest
Authentication -- but the client must know to demand that Digest
authentication be used, perhaps using some of the techniques
described above to counter "man-in-the-middle ...
...
Digest authentication requires that the authenticating agent (usually
the server) store some data derived from the user's name and password ...
... realm is part of the digested data stored in the password file. It
means that if one digest authentication password file is compromised,
it does not automatically compromise others with the same username ...
... particular a realm string should include the name of the host doing
the authentication. The inability of the client to authenticate the
...
... the authentication. The inability of the client to authenticate the
server is a weakness of Digest Authentication.
...
...
By modern cryptographic standards Digest Authentication is weak. But
for a large range of purposes it is valuable as a replacement for
...
... for a large range of purposes it is valuable as a replacement for
Basic Authentication. It remedies many, but not all, weaknesses of
Basic Authentication. Its strength may vary depending on the
...
... Basic Authentication. It remedies many, but not all, weaknesses of
Basic Authentication. Its strength may vary depending on the
implementation. In particular the structure of the nonce (which is
...
... relatively weak by cryptographic standards, but *any* compliant
implementation will be far superior to Basic Authentication.
...