Revision as of 02:49, 22 January 2025 edit 2804:d55:52dd:4f00:6d93:5014:fd3c:828b (talk) No edit summary Tags: Reverted Visual edit ← Previous edit		Revision as of 03:16, 22 January 2025 edit undo Brandon (talk \| contribs) Edit filter managers, Administrators 23,426 edits m Reverted edit by 2804:D55:52DD:4F00:6D93:5014:FD3C:828B (talk) to last version by Naruyoko Tag: Rollback Next edit →
Line 12: :<syntaxhighlight lang="text"> HA1 = MD5(username:realm:password) ) HA2 = MD5(method:digestURI) response = MD5(HA1:nonce:HA2) </syntaxhighlight> An MD5 hash is a 16-byte value. The HA1 and HA2 values used in the computation of the response are the hexadecimal representation (in lowercase) of the MD5 hashes respectively. RFC 2069 was later replaced by {{IETF RFC\|2617}} (''HTTP Authentication: Basic and Digest Access Authentication''). RFC 2617 introduced a number of optional security enhancements to digest authentication; '''"quality ~~protecti~~of protection" (qop)''', nonce counter incremented by client, and a client-generated random nonce. These enhancements are designed to protect against, for example, [[chosen-plaintext attack]] [[cryptanalysis]]. If the algorithm directive's value is "MD5" or unspecified, then HA1 is Line 57 ⟶ 59: The above shows that when qop is not specified, the simpler RFC 2069 standard is followed. In September 2015, RFC 7616 replaced RFC 2617 by adding 4 new [[Algorithm\|algorithms]]: "SHA-256", "SHA-256-sess", "SHA-512-256" and "SHA-512-256-sess". The encoding is equivalent to "MD5" and "MD5-sess" algorithms, with [[MD5\|MD5 hashing function]] replaced with [[SHA-256]] and [[SHA-256\|SHA-512-256]]. However, {{as of\|2021\|7\|lc=y}}, none of popular browsers, including Firefox<ref>{{cite web \|title=Bug 472823: SHA 256 Digest Authentication \|url=https://bugzilla.mozilla.org/show_bug.cgi?id=472823 \|website=Mozilla Bugzilla}}</ref> and Chrome,<ref>{{cite web \|title= Issue 1160478: SHA-256 for HTTP Digest Access Authentication in accordance with rfc7616 \|url=https://bugs.chromium.org/p/chromium/issues/detail?id=1160478 \|website=Chromium bugs}}</ref> support SHA-256 as the hash function. {{As of\|2021\|10}}, Firefox 93<ref>{{cite web \|title=Bug 472823: SHA 256 Digest Authentication \|url=https://bugzilla.mozilla.org/show_bug.cgi?id=472823 \|website=Mozilla Bugzilla}}</ref> officially supports "SHA-256" and "SHA-256-sess" algorithms for digest authentication. However, support for "SHA-512-256", "SHA-512-256-sess" algorithms and username hashing<ref>{{cite news \|title=IETF.org: RFC 7616 Username Hashing \|url=https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4 \|newspaper=Ietf Datatracker\|date=30 September 2015 }}</ref> is still lacking.<ref>{{cite web \|title=Mozilla-central: support SHA-256 HTTP Digest auth \|url=https://hg.mozilla.org/mozilla-central/rev/7a4994734e00 \|website=Mozilla-central}}</ref> {{As of\|2023\|8}}, Chromium 117 (then Chrome and Edge) supports "SHA-256".<ref>{{cite web \|title=Chrome Feature: RFC 7616 Digest auth: Support SHA-256 and username hashing\|url=https://chromestatus.com/feature/5139896267702272?context=myfeatures}}</ref> == Impact of MD5 security on digest authentication ==

Digest access authentication: Difference between revisions