1
2
3
4
5
6
7 Network Working Group J. Franks
8 Request for Comments: 2069 Northwestern University
9 Category: Standards Track P. Hallam-Baker
10 CERN
11 J. Hostetler
12 Spyglass, Inc.
13 P. Leach
14 Microsoft Corporation
15 A. Luotonen
16 Netscape Communications Corporation
17 E. Sink
18 Spyglass, Inc.
19 L. Stewart
20 Open Market, Inc.
21 January 1997
22
23
24 An Extension to HTTP : Digest Access Authentication
25
26 Status of this Memo
27
28 This document specifies an Internet standards track protocol for the
29 Internet community, and requests discussion and suggestions for
30 improvements. Please refer to the current edition of the "Internet
31 Official Protocol Standards" (STD 1) for the standardization state
32 and status of this protocol. Distribution of this memo is unlimited.
33
34 Abstract
35
36 The protocol referred to as "HTTP/1.0" includes the specification for
37 a Basic Access Authentication scheme. This scheme is not considered
38 to be a secure method of user authentication, as the user name and
39 password are passed over the network as clear text. A specification
40 for a different authentication scheme is needed to address this
41 severe limitation. This document provides specification for such a
42 scheme, referred to as "Digest Access Authentication". Like Basic,
43 Digest access authentication verifies that both parties to a
44 communication know a shared secret (a password); unlike Basic, this
45 verification can be done without sending the password in the clear,
46 which is Basic's biggest weakness. As with most other authentication
47 protocols, the greatest sources of risks are usually found not in the
48 core protocol itself but in policies and procedures surrounding its
49 use.
50
51
52
53
54
55
56
57
58 Franks, et. al. Standards Track [Page 1]
59 �
60 RFC 2069 Digest Access Authentication January 1997
61
62
63 Table of Contents
64
65 INTRODUCTION...................................................... 2
66 1.1 PURPOSE .................................................... 2
67 1.2 OVERALL OPERATION .......................................... 3
68 1.3 REPRESENTATION OF DIGEST VALUES ............................ 3
69 1.4 LIMITATIONS ................................................ 3
70 2. DIGEST ACCESS AUTHENTICATION SCHEME............................ 3
71 2.1 SPECIFICATION OF DIGEST HEADERS ............................. 3
72 2.1.1 THE WWW-AUTHENTICATE RESPONSE HEADER ..................... 4
73 2.1.2 THE AUTHORIZATION REQUEST HEADER ......................... 6
74 2.1.3 THE AUTHENTICATION-INFO HEADER ........................... 9
75 2.2 DIGEST OPERATION ............................................ 10
76 2.3 SECURITY PROTOCOL NEGOTIATION ............................... 10
77 2.4 EXAMPLE ..................................................... 11
78 2.5 PROXY-AUTHENTICATION AND PROXY-AUTHORIZATION ................ 11
79 3. SECURITY CONSIDERATIONS........................................ 12
80 3.1 COMPARISON WITH BASIC AUTHENTICATION ........................ 13
81 3.2 REPLAY ATTACKS .............................................. 13
82 3.3 MAN IN THE MIDDLE ........................................... 14
83 3.4 SPOOFING BY COUNTERFEIT SERVERS ............................. 15
84 3.5 STORING PASSWORDS ........................................... 15
85 3.6 SUMMARY ..................................................... 16
86 4. ACKNOWLEDGMENTS............................................... 16
87 5. REFERENCES..................................................... 16
88 6. AUTHORS' ADDRESSES............................................. 17
89
90 Introduction
91
92 1.1 Purpose
93
94 The protocol referred to as "HTTP/1.0" includes specification for a
95 Basic Access Authentication scheme[1]. This scheme is not considered
96 to be a secure method of user authentication, as the user name and
97 password are passed over the network in an unencrypted form. A
98 specification for a new authentication scheme is needed for future
99 versions of the HTTP protocol. This document provides specification
100 for such a scheme, referred to as "Digest Access Authentication".
101
102 The Digest Access Authentication scheme is not intended to be a
103 complete answer to the need for security in the World Wide Web. This
104 scheme provides no encryption of object content. The intent is simply
105 to create a weak access authentication method which avoids the most
106 serious flaws of Basic authentication.
107
108 It is proposed that this access authentication scheme be included in
109 the proposed HTTP/1.1 specification.
110
111
112
113
114 Franks, et. al. Standards Track [Page 2]
115 �
116 RFC 2069 Digest Access Authentication January 1997
117
118
119 1.2 Overall Operation
120
121 Like Basic Access Authentication, the Digest scheme is based on a
122 simple challenge-response paradigm. The Digest scheme challenges
123 using a nonce value. A valid response contains a checksum (by
124 default the MD5 checksum) of the username, the password, the given
125 nonce value, the HTTP method, and the requested URI. In this way,
126 the password is never sent in the clear. Just as with the Basic
127 scheme, the username and password must be prearranged in some fashion
128 which is not addressed by this document.
129
130 1.3 Representation of digest values
131
132 An optional header allows the server to specify the algorithm used to
133 create the checksum or digest. By default the MD5 algorithm is used
134 and that is the only algorithm described in this document.
135
136 For the purposes of this document, an MD5 digest of 128 bits is
137 represented as 32 ASCII printable characters. The bits in the 128
138 bit digest are converted from most significant to least significant
139 bit, four bits at a time to their ASCII presentation as follows.
140 Each four bits is represented by its familiar hexadecimal notation
141 from the characters 0123456789abcdef. That is, binary 0000 gets
142 represented by the character '0', 0001, by '1', and so on up to the
143 representation of 1111 as 'f'.
144
145 1.4 Limitations
146
147 The digest authentication scheme described in this document suffers
148 from many known limitations. It is intended as a replacement for
149 basic authentication and nothing more. It is a password-based system
150 and (on the server side) suffers from all the same problems of any
151 password system. In particular, no provision is made in this
152 protocol for the initial secure arrangement between user and server
153 to establish the user's password.
154
155 Users and implementors should be aware that this protocol is not as
156 secure as kerberos, and not as secure as any client-side private-key
157 scheme. Nevertheless it is better than nothing, better than what is
158 commonly used with telnet and ftp, and better than Basic
159 authentication.
160
161 2. Digest Access Authentication Scheme
162
163 2.1 Specification of Digest Headers
164
165 The Digest Access Authentication scheme is conceptually similar to
166 the Basic scheme. The formats of the modified WWW-Authenticate
167
168
169
170 Franks, et. al. Standards Track [Page 3]
171 �
172 RFC 2069 Digest Access Authentication January 1997
173
174
175 header line and the Authorization header line are specified below,
176 using the extended BNF defined in the HTTP/1.1 specification, section
177 2.1. In addition, a new header, Authentication-info, is specified.
178
179 2.1.1 The WWW-Authenticate Response Header
180
181 If a server receives a request for an access-protected object, and an
182 acceptable Authorization header is not sent, the server responds with
183 a "401 Unauthorized" status code, and a WWW-Authenticate header,
184 which is defined as follows:
185
186 WWW-Authenticate = "WWW-Authenticate" ":" "Digest"
187 digest-challenge
188
189 digest-challenge = 1#( realm | [ domain ] | nonce |
190 [ digest-opaque ] |[ stale ] | [ algorithm ] )
191
192 realm = "realm" "=" realm-value
193 realm-value = quoted-string
194 domain = "domain" "=" <"> 1#URI <">
195 nonce = "nonce" "=" nonce-value
196 nonce-value = quoted-string
197 opaque = "opaque" "=" quoted-string
198 stale = "stale" "=" ( "true" | "false" )
199 algorithm = "algorithm" "=" ( "MD5" | token )
200
201 The meanings of the values of the parameters used above are as
202 follows:
203
204 realm
205 A string to be displayed to users so they know which username and
206 password to use. This string should contain at least the name of
207 the host performing the authentication and might additionally
208 indicate the collection of users who might have access. An example
209 might be "registered_users@gotham.news.com". The realm is a
210 "quoted-string" as specified in section 2.2 of the HTTP/1.1
211 specification [2].
212
213 domain
214 A comma-separated list of URIs, as specified for HTTP/1.0. The
215 intent is that the client could use this information to know the
216 set of URIs for which the same authentication information should be
217 sent. The URIs in this list may exist on different servers. If
218 this keyword is omitted or empty, the client should assume that the
219 domain consists of all URIs on the responding server.
220
221
222
223
224
225
226 Franks, et. al. Standards Track [Page 4]
227 �
228 RFC 2069 Digest Access Authentication January 1997
229
230
231 nonce
232 A server-specified data string which may be uniquely generated each
233 time a 401 response is made. It is recommended that this string be
234 base64 or hexadecimal data. Specifically, since the string is
235 passed in the header lines as a quoted string, the double-quote
236 character is not allowed.
237
238 The contents of the nonce are implementation dependent. The
239 quality of the implementation depends on a good choice. A
240 recommended nonce would include
241
242 H(client-IP ":" time-stamp ":" private-key )
243
244 Where client-IP is the dotted quad IP address of the client making
245 the request, time-stamp is a server-generated time value, private-
246 key is data known only to the server. With a nonce of this form a
247 server would normally recalculate the nonce after receiving the
248 client authentication header and reject the request if it did not
249 match the nonce from that header. In this way the server can limit
250 the reuse of a nonce to the IP address to which it was issued and
251 limit the time of the nonce's validity. Further discussion of the
252 rationale for nonce construction is in section 3.2 below.
253
254 An implementation might choose not to accept a previously used
255 nonce or a previously used digest to protect against a replay
256 attack. Or, an implementation might choose to use one-time nonces
257 or digests for POST or PUT requests and a time-stamp for GET
258 requests. For more details on the issues involved see section 3.
259 of this document.
260
261 The nonce is opaque to the client.
262
263 opaque
264 A string of data, specified by the server, which should be
265 returned by the client unchanged. It is recommended that this
266 string be base64 or hexadecimal data. This field is a
267 "quoted-string" as specified in section 2.2 of the HTTP/1.1
268 specification [2].
269
270 stale
271 A flag, indicating that the previous request from the client was
272 rejected because the nonce value was stale. If stale is TRUE (in
273 upper or lower case), the client may wish to simply retry the
274 request with a new encrypted response, without reprompting the
275 user for a new username and password. The server should only set
276 stale to true if it receives a request for which the nonce is
277 invalid but with a valid digest for that nonce (indicating that
278 the client knows the correct username/password).
279
280
281
282 Franks, et. al. Standards Track [Page 5]
283 �
284 RFC 2069 Digest Access Authentication January 1997
285
286
287 algorithm
288 A string indicating a pair of algorithms used to produce the
289 digest and a checksum. If this not present it is assumed to be
290 "MD5". In this document the string obtained by applying the
291 digest algorithm to the data "data" with secret "secret" will be
292 denoted by KD(secret, data), and the string obtained by applying
293 the checksum algorithm to the data "data" will be denoted
294 H(data).
295
296 For the "MD5" algorithm
297
298 H(data) = MD5(data)
299
300 and
301
302 KD(secret, data) = H(concat(secret, ":", data))
303
304 i.e., the digest is the MD5 of the secret concatenated with a colon
305 concatenated with the data.
306
307 2.1.2 The Authorization Request Header
308
309 The client is expected to retry the request, passing an Authorization
310 header line, which is defined as follows.
311
312 Authorization = "Authorization" ":" "Digest" digest-response
313
314 digest-response = 1#( username | realm | nonce | digest-uri |
315 response | [ digest ] | [ algorithm ] |
316 opaque )
317
318 username = "username" "=" username-value
319 username-value = quoted-string
320 digest-uri = "uri" "=" digest-uri-value
321 digest-uri-value = request-uri ; As specified by HTTP/1.1
322 response = "response" "=" response-digest
323 digest = "digest" "=" entity-digest
324
325 response-digest = <"> *LHEX <">
326 entity-digest = <"> *LHEX <">
327 LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
328 "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"
329
330 The definitions of response-digest and entity-digest above indicate
331 the encoding for their values. The following definitions show how the
332 value is computed:
333
334
335
336
337
338 Franks, et. al. Standards Track [Page 6]
339 �
340 RFC 2069 Digest Access Authentication January 1997
341
342
343 response-digest =
344 <"> < KD ( H(A1), unquoted nonce-value ":" H(A2) > <">
345
346 A1 = unquoted username-value ":" unquoted realm-value
347 ":" password
348 password = < user's password >
349 A2 = Method ":" digest-uri-value
350
351 The "username-value" field is a "quoted-string" as specified in
352 section 2.2 of the HTTP/1.1 specification [2]. However, the
353 surrounding quotation marks are removed in forming the string A1.
354 Thus if the Authorization header includes the fields
355
356 username="Mufasa", realm="myhost@testrealm.com"
357
358 and the user Mufasa has password "CircleOfLife" then H(A1) would be
359 H(Mufasa:myhost@testrealm.com:CircleOfLife) with no quotation marks
360 in the digested string.
361
362 No white space is allowed in any of the strings to which the digest
363 function H() is applied unless that white space exists in the quoted
364 strings or entity body whose contents make up the string to be
365 digested. For example, the string A1 in the illustrated above must
366 be Mufasa:myhost@testrealm.com:CircleOfLife with no white space on
367 either side of the colons. Likewise, the other strings digested by
368 H() must not have white space on either side of the colons which
369 delimit their fields unless that white space was in the quoted
370 strings or entity body being digested.
371
372 "Method" is the HTTP request method as specified in section 5.1 of
373 [2]. The "request-uri" value is the Request-URI from the request
374 line as specified in section 5.1 of [2]. This may be "*", an
375 "absoluteURL" or an "abs_path" as specified in section 5.1.2 of [2],
376 but it MUST agree with the Request-URI. In particular, it MUST be an
377 "absoluteURL" if the Request-URI is an "absoluteURL".
378
379 The authenticating server must assure that the document designated by
380 the "uri" parameter is the same as the document served. The purpose
381 of duplicating information from the request URL in this field is to
382 deal with the possibility that an intermediate proxy may alter the
383 client's request. This altered (but presumably semantically
384 equivalent) request would not result in the same digest as that
385 calculated by the client.
386
387 The optional "digest" field contains a digest of the entity body and
388 some of the associated entity headers. This digest can be useful in
389 both request and response transactions. In a request it can insure
390 the integrity of POST data or data being PUT to the server. In a
391
392
393
394 Franks, et. al. Standards Track [Page 7]
395 �
396 RFC 2069 Digest Access Authentication January 1997
397
398
399 response it insures the integrity of the served document. The value
400 of the "digest" field is an <entity-digest> which is defined as
401 follows.
402
403 entity-digest = <"> KD (H(A1), unquoted nonce-value ":" Method ":"
404 date ":" entity-info ":" H(entity-body)) <">
405 ; format is <"> *LHEX <">
406
407 date = = rfc1123-date ; see section 3.3.1 of [2]
408 entity-info = H(
409 digest-uri-value ":"
410 media-type ":" ; Content-type, see section 3.7 of [2]
411 *DIGIT ":" ; Content length, see 10.12 of [2]
412 content-coding ":" ; Content-encoding, see 3.5 of [2]
413 last-modified ":" ; last modified date, see 10.25 of [2]
414 expires ; expiration date; see 10.19 of [2]
415 )
416
417 last-modified = rfc1123-date ; see section 3.3.1 of [2]
418 expires = rfc1123-date
419
420 The entity-info elements incorporate the values of the URI used to
421 request the entity as well as the associated entity headers Content-
422 type, Content-length, Content-encoding, Last-modified, and Expires.
423 These headers are all end-to-end headers (see section 13.5.1 of [2])
424 which must not be modified by proxy caches. The "entity-body" is as
425 specified by section 10.13 of [2] or RFC 1864.
426
427 Note that not all entities will have an associated URI or all of
428 these headers. For example, an entity which is the data of a POST
429 request will typically not have a digest-uri-value or Last-modified
430 or Expires headers. If an entity does not have a digest-uri-value or
431 a header corresponding to one of the entity-info fields, then that
432 field is left empty in the computation of entity-info. All the
433 colons specified above are present, however. For example the value
434 of the entity-info associated with POST data which has content-type
435 "text/plain", no content-encoding and a length of 255 bytes would be
436 H(:text/plain:255:::). Similarly a request may not have a "Date"
437 header. In this case the date field of the entity-digest should be
438 empty.
439
440 In the entity-info and entity-digest computations, except for the
441 blank after the comma in "rfc1123-date", there must be no white space
442 between "words" and "tspecials", and exactly one blank between
443 "words" (see section 2.2 of [2]).
444
445
446
447
448
449
450 Franks, et. al. Standards Track [Page 8]
451 �
452 RFC 2069 Digest Access Authentication January 1997
453
454
455 Implementors should be aware of how authenticated transactions
456 interact with proxy caches. The HTTP/1.1 protocol specifies that
457 when a shared cache (see section 13.10 of [2]) has received a request
458 containing an Authorization header and a response from relaying that
459 request, it MUST NOT return that response as a reply to any other
460 request, unless one of two Cache-control (see section 14.9 of [2])
461 directives was present in the response. If the original response
462 included the "must-revalidate" Cache-control directive, the cache MAY
463 use the entity of that response in replying to a subsequent request,
464 but MUST first revalidate it with the origin server, using the
465 request headers from the new request to allow the origin server to
466 authenticate the new request. Alternatively, if the original
467 response included the "public" Cache-control directive, the response
468 entity MAY be returned in reply to any subsequent request.
469
470 2.1.3 The AuthenticationInfo Header
471
472 When authentication succeeds, the Server may optionally provide a
473 Authentication-info header indicating that the server wants to
474 communicate some information regarding the successful authentication
475 (such as an entity digest or a new nonce to be used for the next
476 transaction). It has two fields, digest and nextnonce. Both are
477 optional.
478
479 AuthenticationInfo = "Authentication-info" ":"
480 1#( digest | nextnonce )
481
482 nextnonce = "nextnonce" "=" nonce-value
483
484 digest = "digest" "=" entity-digest
485
486 The optional digest allows the client to verify that the body of the
487 response has not been changed en-route. The server would probably
488 only send this when it has the document and can compute it. The
489 server would probably not bother generating this header for CGI
490 output. The value of the "digest" is an <entity-digest> which is
491 computed as described above.
492
493 The value of the nextnonce parameter is the nonce the server wishes
494 the client to use for the next authentication response. Note that
495 either field is optional. In particular the server may send the
496 Authentication-info header with only the nextnonce field as a means
497 of implementing one-time nonces. If the nextnonce field is present
498 the client is strongly encouraged to use it for the next WWW-
499 Authenticate header. Failure of the client to do so may result in a
500 request to re-authenticate from the server with the "stale=TRUE."
501
502
503
504
505
506 Franks, et. al. Standards Track [Page 9]
507 �
508 RFC 2069 Digest Access Authentication January 1997
509
510
511 2.2 Digest Operation
512
513 Upon receiving the Authorization header, the server may check its
514 validity by looking up its known password which corresponds to the
515 submitted username. Then, the server must perform the same MD5
516 operation performed by the client, and compare the result to the
517 given response-digest.
518
519 Note that the HTTP server does not actually need to know the user's
520 clear text password. As long as H(A1) is available to the server,
521 the validity of an Authorization header may be verified.
522
523 A client may remember the username, password and nonce values, so
524 that future requests within the specified <domain> may include the
525 Authorization header preemptively. The server may choose to accept
526 the old Authorization header information, even though the nonce value
527 included might not be fresh. Alternatively, the server could return a
528 401 response with a new nonce value, causing the client to retry the
529 request. By specifying stale=TRUE with this response, the server
530 hints to the client that the request should be retried with the new
531 nonce, without reprompting the user for a new username and password.
532
533 The opaque data is useful for transporting state information around.
534 For example, a server could be responsible for authenticating content
535 which actually sits on another server. The first 401 response would
536 include a domain field which includes the URI on the second server,
537 and the opaque field for specifying state information. The client
538 will retry the request, at which time the server may respond with a
539 301/302 redirection, pointing to the URI on the second server. The
540 client will follow the redirection, and pass the same Authorization
541 header, including the <opaque> data which the second server may
542 require.
543
544 As with the basic scheme, proxies must be completely transparent in
545 the Digest access authentication scheme. That is, they must forward
546 the WWW-Authenticate, Authentication-info and Authorization headers
547 untouched. If a proxy wants to authenticate a client before a request
548 is forwarded to the server, it can be done using the Proxy-
549 Authenticate and Proxy-Authorization headers described in section 2.5
550 below.
551
552 2.3 Security Protocol Negotiation
553
554 It is useful for a server to be able to know which security schemes a
555 client is capable of handling.
556
557 If this proposal is accepted as a required part of the HTTP/1.1
558 specification, then a server may assume Digest support when a client
559
560
561
562 Franks, et. al. Standards Track [Page 10]
563 �
564 RFC 2069 Digest Access Authentication January 1997
565
566
567 identifies itself as HTTP/1.1 compliant.
568
569 It is possible that a server may want to require Digest as its
570 authentication method, even if the server does not know that the
571 client supports it. A client is encouraged to fail gracefully if the
572 server specifies any authentication scheme it cannot handle.
573
574 2.4 Example
575
576 The following example assumes that an access-protected document is
577 being requested from the server. The URI of the document is
578 "http://www.nowhere.org/dir/index.html". Both client and server know
579 that the username for this document is "Mufasa", and the password is
580 "CircleOfLife".
581
582 The first time the client requests the document, no Authorization
583 header is sent, so the server responds with:
584
585 HTTP/1.1 401 Unauthorized
586 WWW-Authenticate: Digest realm="testrealm@host.com",
587 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
588 opaque="5ccc069c403ebaf9f0171e9517f40e41"
589
590 The client may prompt the user for the username and password, after
591 which it will respond with a new request, including the following
592 Authorization header:
593
594 Authorization: Digest username="Mufasa",
595 realm="testrealm@host.com",
596 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
597 uri="/dir/index.html",
598 response="e966c932a9242554e42c8ee200cec7f6",
599 opaque="5ccc069c403ebaf9f0171e9517f40e41"
600
601 2.5 Proxy-Authentication and Proxy-Authorization
602
603 The digest authentication scheme may also be used for authenticating
604 users to proxies, proxies to proxies, or proxies to end servers by
605 use of the Proxy-Authenticate and Proxy-Authorization headers. These
606 headers are instances of the general Proxy-Authenticate and Proxy-
607 Authorization headers specified in sections 10.30 and 10.31 of the
608 HTTP/1.1 specification [2] and their behavior is subject to
609 restrictions described there. The transactions for proxy
610 authentication are very similar to those already described. Upon
611 receiving a request which requires authentication, the proxy/server
612 must issue the "HTTP/1.1 401 Unauthorized" header followed by a
613 "Proxy-Authenticate" header of the form
614
615
616
617
618 Franks, et. al. Standards Track [Page 11]
619 �
620 RFC 2069 Digest Access Authentication January 1997
621
622
623 Proxy-Authentication = "Proxy-Authentication" ":" "Digest"
624 digest-challenge
625
626 where digest-challenge is as defined above in section 2.1. The
627 client/proxy must then re-issue the request with a Proxy-Authenticate
628 header of the form
629
630 Proxy-Authorization = "Proxy-Authorization" ":"
631 digest-response
632
633 where digest-response is as defined above in section 2.1. When
634 authentication succeeds, the Server may optionally provide a Proxy-
635 Authentication-info header of the form
636
637 Proxy-Authentication-info = "Proxy-Authentication-info" ":" nextnonce
638
639 where nextnonce has the same semantics as the nextnonce field in the
640 Authentication-info header described above in section 2.1.
641
642 Note that in principle a client could be asked to authenticate itself
643 to both a proxy and an end-server. It might receive an "HTTP/1.1 401
644 Unauthorized" header followed by both a WWW-Authenticate and a
645 Proxy-Authenticate header. However, it can never receive more than
646 one Proxy-Authenticate header since such headers are only for
647 immediate connections and must not be passed on by proxies. If the
648 client receives both headers, it must respond with both the
649 Authorization and Proxy-Authorization headers as described above,
650 which will likely involve different combinations of username,
651 password, nonce, etc.
652
653 3. Security Considerations
654
655 Digest Authentication does not provide a strong authentication
656 mechanism. That is not its intent. It is intended solely to replace
657 a much weaker and even more dangerous authentication mechanism: Basic
658 Authentication. An important design constraint is that the new
659 authentication scheme be free of patent and export restrictions.
660
661 Most needs for secure HTTP transactions cannot be met by Digest
662 Authentication. For those needs SSL or SHTTP are more appropriate
663 protocols. In particular digest authentication cannot be used for
664 any transaction requiring encrypted content. Nevertheless many
665 functions remain for which digest authentication is both useful and
666 appropriate.
667
668
669
670
671
672
673
674 Franks, et. al. Standards Track [Page 12]
675 �
676 RFC 2069 Digest Access Authentication January 1997
677
678
679 3.1 Comparison with Basic Authentication
680
681 Both Digest and Basic Authentication are very much on the weak end of
682 the security strength spectrum. But a comparison between the two
683 points out the utility, even necessity, of replacing Basic by Digest.
684
685 The greatest threat to the type of transactions for which these
686 protocols are used is network snooping. This kind of transaction
687 might involve, for example, online access to a database whose use is
688 restricted to paying subscribers. With Basic authentication an
689 eavesdropper can obtain the password of the user. This not only
690 permits him to access anything in the database, but, often worse,
691 will permit access to anything else the user protects with the same
692 password.
693
694 By contrast, with Digest Authentication the eavesdropper only gets
695 access to the transaction in question and not to the user's password.
696 The information gained by the eavesdropper would permit a replay
697 attack, but only with a request for the same document, and even that
698 might be difficult.
699
700 3.2 Replay Attacks
701
702 A replay attack against digest authentication would usually be
703 pointless for a simple GET request since an eavesdropper would
704 already have seen the only document he could obtain with a replay.
705 This is because the URI of the requested document is digested in the
706 client response and the server will only deliver that document. By
707 contrast under Basic Authentication once the eavesdropper has the
708 user's password, any document protected by that password is open to
709 him. A GET request containing form data could only be "replayed"
710 with the identical data. However, this could be problematic if it
711 caused a CGI script to take some action on the server.
712
713 Thus, for some purposes, it is necessary to protect against replay
714 attacks. A good digest implementation can do this in various ways.
715 The server created "nonce" value is implementation dependent, but if
716 it contains a digest of the client IP, a time-stamp, and a private
717 server key (as recommended above) then a replay attack is not simple.
718 An attacker must convince the server that the request is coming from
719 a false IP address and must cause the server to deliver the document
720 to an IP address different from the address to which it believes it
721 is sending the document. An attack can only succeed in the period
722 before the time-stamp expires. Digesting the client IP and time-
723 stamp in the nonce permits an implementation which does not maintain
724 state between transactions.
725
726
727
728
729
730 Franks, et. al. Standards Track [Page 13]
731 �
732 RFC 2069 Digest Access Authentication January 1997
733
734
735 For applications where no possibility of replay attack can be
736 tolerated the server can use one-time response digests which will not
737 be honored for a second use. This requires the overhead of the
738 server remembering which digests have been used until the nonce
739 time-stamp (and hence the digest built with it) has expired, but it
740 effectively protects against replay attacks. Instead of maintaining a
741 list of the values of used digests, a server would hash these values
742 and require re-authentication whenever a hash collision occurs.
743
744 An implementation must give special attention to the possibility of
745 replay attacks with POST and PUT requests. A successful replay
746 attack could result in counterfeit form data or a counterfeit version
747 of a PUT file. The use of one-time digests or one-time nonces is
748 recommended. It is also recommended that the optional <digest> be
749 implemented for use with POST or PUT requests to assure the integrity
750 of the posted data. Alternatively, a server may choose to allow
751 digest authentication only with GET requests. Responsible server
752 implementors will document the risks described here as they pertain
753 to a given implementation.
754
755 3.3 Man in the Middle
756
757 Both Basic and Digest authentication are vulnerable to "man in the
758 middle" attacks, for example, from a hostile or compromised proxy.
759 Clearly, this would present all the problems of eavesdropping. But
760 it could also offer some additional threats.
761
762 A simple but effective attack would be to replace the Digest
763 challenge with a Basic challenge, to spoof the client into revealing
764 their password. To protect against this attack, clients should
765 remember if a site has used Digest authentication in the past, and
766 warn the user if the site stops using it. It might also be a good
767 idea for the browser to be configured to demand Digest authentication
768 in general, or from specific sites.
769
770 Or, a hostile proxy might spoof the client into making a request the
771 attacker wanted rather than one the client wanted. Of course, this
772 is still much harder than a comparable attack against Basic
773 Authentication.
774
775 There are several attacks on the "digest" field in the
776 Authentication-info header. A simple but effective attack is just to
777 remove the field, so that the client will not be able to use it to
778 detect modifications to the response entity. Sensitive applications
779 may wish to allow configuration to require that the digest field be
780 present when appropriate. More subtly, the attacker can alter any of
781 the entity-headers not incorporated in the computation of the digest,
782 The attacker can alter most of the request headers in the client's
783
784
785
786 Franks, et. al. Standards Track [Page 14]
787 �
788 RFC 2069 Digest Access Authentication January 1997
789
790
791 request, and can alter any response header in the origin-server's
792 reply, except those headers whose values are incorporated into the
793 "digest" field.
794
795 Alteration of Accept* or User-Agent request headers can only result
796 in a denial of service attack that returns content in an unacceptable
797 media type or language. Alteration of cache control headers also can
798 only result in denial of service. Alteration of Host will be
799 detected, if the full URL is in the response-digest. Alteration of
800 Referer or From is not important, as these are only hints.
801
802 3.4 Spoofing by Counterfeit Servers
803
804 Basic Authentication is vulnerable to spoofing by counterfeit
805 servers. If a user can be led to believe that she is connecting to a
806 host containing information protected by a password she knows, when
807 in fact she is connecting to a hostile server, then the hostile
808 server can request a password, store it away for later use, and feign
809 an error. This type of attack is more difficult with Digest
810 Authentication -- but the client must know to demand that Digest
811 authentication be used, perhaps using some of the techniques
812 described above to counter "man-in-the-middle" attacks.
813
814 3.5 Storing passwords
815
816 Digest authentication requires that the authenticating agent (usually
817 the server) store some data derived from the user's name and password
818 in a "password file" associated with a given realm. Normally this
819 might contain pairs consisting of username and H(A1), where H(A1) is
820 the digested value of the username, realm, and password as described
821 above.
822
823 The security implications of this are that if this password file is
824 compromised, then an attacker gains immediate access to documents on
825 the server using this realm. Unlike, say a standard UNIX password
826 file, this information need not be decrypted in order to access
827 documents in the server realm associated with this file. On the
828 other hand, decryption, or more likely a brute force attack, would be
829 necessary to obtain the user's password. This is the reason that the
830 realm is part of the digested data stored in the password file. It
831 means that if one digest authentication password file is compromised,
832 it does not automatically compromise others with the same username
833 and password (though it does expose them to brute force attack).
834
835 There are two important security consequences of this. First the
836 password file must be protected as if it contained unencrypted
837 passwords, because for the purpose of accessing documents in its
838 realm, it effectively does.
839
840
841
842 Franks, et. al. Standards Track [Page 15]
843 �
844 RFC 2069 Digest Access Authentication January 1997
845
846
847 A second consequence of this is that the realm string should be
848 unique among all realms which any single user is likely to use. In
849 particular a realm string should include the name of the host doing
850 the authentication. The inability of the client to authenticate the
851 server is a weakness of Digest Authentication.
852
853 3.6 Summary
854
855 By modern cryptographic standards Digest Authentication is weak. But
856 for a large range of purposes it is valuable as a replacement for
857 Basic Authentication. It remedies many, but not all, weaknesses of
858 Basic Authentication. Its strength may vary depending on the
859 implementation. In particular the structure of the nonce (which is
860 dependent on the server implementation) may affect the ease of
861 mounting a replay attack. A range of server options is appropriate
862 since, for example, some implementations may be willing to accept the
863 server overhead of one-time nonces or digests to eliminate the
864 possibility of replay while others may satisfied with a nonce like
865 the one recommended above restricted to a single IP address and with
866 a limited lifetime.
867
868 The bottom line is that *any* compliant implementation will be
869 relatively weak by cryptographic standards, but *any* compliant
870 implementation will be far superior to Basic Authentication.
871
872 4. Acknowledgments
873
874 In addition to the authors, valuable discussion instrumental in
875 creating this document has come from Peter J. Churchyard, Ned Freed,
876 and David M. Kristol.
877
878 5. References
879
880 [1] Berners-Lee, T., Fielding, R., and H. Frystyk,
881 "Hypertext Transfer Protocol -- HTTP/1.0",
882 RFC 1945, May 1996.
883
884 [2] Berners-Lee, T., Fielding, R., and H. Frystyk,
885 "Hypertext Transfer Protocol -- HTTP/1.1"
886 RFC 2068, January 1997.
887
888 [3] Rivest, R., "The MD5 Message-Digest Algorithm",
889 RFC 1321, April 1992.
890
891
892
893
894
895
896
897
898 Franks, et. al. Standards Track [Page 16]
899 �
900 RFC 2069 Digest Access Authentication January 1997
901
902
903 6. Authors' Addresses
904
905 John Franks
906 Professor of Mathematics
907 Department of Mathematics
908 Northwestern University
909 Evanston, IL 60208-2730, USA
910
911 EMail: john@math.nwu.edu
912
913
914 Phillip M. Hallam-Baker
915 European Union Fellow
916 CERN
917 Geneva
918 Switzerland
919
920 EMail: hallam@w3.org
921
922
923 Jeffery L. Hostetler
924 Senior Software Engineer
925 Spyglass, Inc.
926 3200 Farber Drive
927 Champaign, IL 61821, USA
928
929 EMail: jeff@spyglass.com
930
931
932 Paul J. Leach
933 Microsoft Corporation
934 1 Microsoft Way
935 Redmond, WA 98052, USA
936
937 EMail: paulle@microsoft.com
938
939
940 Ari Luotonen
941 Member of Technical Staff
942 Netscape Communications Corporation
943 501 East Middlefield Road
944 Mountain View, CA 94043, USA
945
946 EMail: luotonen@netscape.com
947
948
949
950
951
952
953
954 Franks, et. al. Standards Track [Page 17]
955 �
956 RFC 2069 Digest Access Authentication January 1997
957
958
959 Eric W. Sink
960 Senior Software Engineer
961 Spyglass, Inc.
962 3200 Farber Drive
963 Champaign, IL 61821, USA
964
965 EMail: eric@spyglass.com
966
967
968 Lawrence C. Stewart
969 Open Market, Inc.
970 215 First Street
971 Cambridge, MA 02142, USA
972
973 EMail: stewart@OpenMarket.com
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010 Franks, et. al. Standards Track [Page 18]
1011 �
