Cryptography Reference
In-Depth Information
The drawback of this method is that the server database needs to keep the passwords
(i.e. not only the hashed values). It must therefore be strongly protected.
5.2.1 Digest Access Control in HTTP
The digest access control is an alternative to the basic protocol which is also described
in RFC 2617 (Ref. [69]). We describe here the main features of the digest protocol
without giving details for all parameters.
Upon a URI request to a server, the server sends a challenge
WWW-Authenticate: digest
realm=” realm-value
[ domain=” URI ]
nonce=” base64 nonce-value
[ opaque=” base64 opaque-value ]
[ stale=true ]
[ algorithm=MD5 ]
[ qop=” comma-separated list of auth or auth-int or token ]
(Lines between [ ] are optional.) The realm-value works as in the basic access authenti-
cation scheme. The nonce-value is a one-time generated value (preferably encoded with
base64). The opaque-value is only to be returned in the credentials. (It is quite conve-
nient for servers who send several challenges to several clients at the same time: they can
easily figure out which response corresponds to which challenge.) The stale=true
string indicates that the nonce-value is now stale and that the client must send other
credentials with a new nonce without querying the password again to the user. The
qop-value suggests the quality of protection scheme.
We can use any standard hash function H and MAC KD . Default for H is MD5
and
KD K ( x )
=
H ( K
||
“:”
||
x )
where
||
denotes the concatenation operation.
The client then must send credentials
Authorization: digest
username=” username-value
realm=” realm-value
nonce=” base64 nonce-value
uri=”
digest-uri
response=”
32lhex request-digest-value
[ algorithm=MD5 ]
Search WWH ::




Custom Search