Content deleted Content added
No edit summary Tags: Reverted blanking Visual edit Mobile edit Mobile web edit |
Undid revision 1275330887 by 2402:5680:8195:DBB2:89E6:82BC:A246:76E4 (talk) |
||
Line 1:
{{Short description|Method of negotiating credentials between web server and browser}}
{{HTTP}}
'''Digest access authentication''' is one of the agreed-upon methods a [[web server]] can use to negotiate credentials, such as username or password, with a user's [[web browser]]. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a [[hash function]] to the username and [[password]] before sending them over the network. In contrast, [[basic access authentication]] uses the easily reversible [[Base64]] encoding instead of hashing, making it non-secure unless used in conjunction with [[Transport Layer Security|TLS]].
Technically, digest authentication is an application of [[cryptographic hash]]ing with usage of [[cryptographic nonce|nonce]] values to prevent [[replay attack]]s. It uses the [[Hypertext Transfer Protocol|HTTP]] protocol.
DIGEST-MD5 as a [[Simple_Authentication_and_Security_Layer|SASL]] mechanism specified by {{IETF RFC|2831}} is obsolete since July 2011.<ref>[https://datatracker.ietf.org/doc/html/rfc6331 Moving DIGEST-MD5 to Historic, July 2011].</ref>
== Overview ==
Digest access authentication was originally specified by {{IETF RFC|2069}} (''An Extension to HTTP: Digest Access Authentication''). RFC 2069 specifies roughly a traditional digest authentication scheme with security maintained by a server-generated ''[[Cryptographic nonce|nonce value]]''. The authentication response is formed as follows (where HA1 and HA2 are names of string variables):
:<syntaxhighlight lang="text">
HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)
</syntaxhighlight>
An MD5 hash is a 16-byte value. The HA1 and HA2 values used in the computation of the response are the hexadecimal representation (in lowercase) of the MD5 hashes respectively.
RFC 2069 was later replaced by {{IETF RFC|2617}} (''HTTP Authentication: Basic and Digest Access Authentication''). RFC 2617 introduced a number of optional security enhancements to digest authentication; '''"quality of protection" (qop)''', nonce counter incremented by client, and a client-generated random nonce. These enhancements are designed to protect against, for example, [[chosen-plaintext attack]] [[cryptanalysis]].
If the algorithm directive's value is "MD5" or unspecified, then HA1 is
:<syntaxhighlight lang="text">
HA1 = MD5(username:realm:password)
</syntaxhighlight>
If the algorithm directive's value is "MD5-sess", then HA1 is
:<syntaxhighlight lang="text">
HA1 = MD5(MD5(username:realm:password):nonce:cnonce)
</syntaxhighlight>
If the qop directive's value is "auth" or is unspecified, then HA2 is
Line 25 ⟶ 50:
response = MD5(HA1:nonce:nonceCount:cnonce:qop:HA2)
</syntaxhighlight>
If the qop directive is unspecified, then compute the response as follows:
:<syntaxhighlight lang="text">
response = MD5(HA1:nonce:HA2)
</syntaxhighlight>
The above shows that when qop is not specified, the simpler RFC 2069 standard is followed.
In September 2015, RFC 7616 replaced RFC 2617 by adding 4 new [[Algorithm|algorithms]]: "SHA-256", "SHA-256-sess", "SHA-512-256" and "SHA-512-256-sess". The encoding is equivalent to "MD5" and "MD5-sess" algorithms, with [[MD5|MD5 hashing function]] replaced with [[SHA-256]] and [[SHA-256|SHA-512-256]]. However, {{as of|2021|7|lc=y}}, none of popular browsers, including Firefox<ref>{{cite web |title=Bug 472823: SHA 256 Digest Authentication |url=https://bugzilla.mozilla.org/show_bug.cgi?id=472823 |website=Mozilla Bugzilla}}</ref> and Chrome,<ref>{{cite web |title= Issue 1160478: SHA-256 for HTTP Digest Access Authentication in accordance with rfc7616 |url=https://bugs.chromium.org/p/chromium/issues/detail?id=1160478 |website=Chromium bugs}}</ref> support SHA-256 as the hash function. {{As of|2021|10}}, Firefox 93<ref>{{cite web |title=Bug 472823: SHA 256 Digest Authentication |url=https://bugzilla.mozilla.org/show_bug.cgi?id=472823 |website=Mozilla Bugzilla}}</ref> officially supports "SHA-256" and "SHA-256-sess" algorithms for digest authentication. However, support for "SHA-512-256", "SHA-512-256-sess" algorithms and username hashing<ref>{{cite news |title=IETF.org: RFC 7616 Username Hashing |url=https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4 |newspaper=Ietf Datatracker|date=30 September 2015 }}</ref> is still lacking.<ref>{{cite web |title=Mozilla-central: support SHA-256 HTTP Digest auth |url=https://hg.mozilla.org/mozilla-central/rev/7a4994734e00 |website=Mozilla-central}}</ref> {{As of|2023|8}}, Chromium 117 (then Chrome and Edge) supports "SHA-256".<ref>{{cite web |title=Chrome Feature: RFC 7616 Digest auth: Support SHA-256 and username hashing|url=https://chromestatus.com/feature/5139896267702272?context=myfeatures}}</ref>
== Impact of MD5 security on digest authentication ==
The [[MD5]] calculations used in HTTP digest authentication is intended to be "[[one-way function|one way]]", meaning that it should be difficult to determine the original input when only the output is known. If the password itself is too simple, however, then it may be possible to test all possible inputs and find a matching output (a [[brute-force attack]]) – perhaps aided by a [[dictionary attack|dictionary]] or [[rainbow table|suitable look-up list]], which for MD5 is readily available.<ref>[http://project-rainbowcrack.com/table.htm List of rainbow tables, Project Rainbowcrack]. Includes multiple MD5 rainbow tables.</ref>
The HTTP scheme was designed by [[Phillip Hallam-Baker]] at [[CERN]] in 1993 and does not incorporate subsequent improvements in authentication systems, such as the development of keyed-hash message authentication code ([[HMAC]]). Although the [[cryptography|cryptographic]] construction that is used is based on the MD5 hash function, [[collision attack]]s were in 2004 generally believed to not affect applications where the plaintext (i.e. password) is not known.<ref name="CryptoRes-2004">{{cite web
Line 99 ⟶ 134:
* Digest access authentication prevents the use of a strong password hash (such as [[bcrypt]]) when storing passwords (since either the password, or the digested username, realm and password must be recoverable)
Also, since the [[MD5|MD5 algorithm]] is not allowed in [[FIPS 140-2|FIPS]], HTTP Digest authentication will not work with FIPS-certified<ref name="FIPS approved functions" group="note">The following is a list of FIPS approved algorithms: {{cite web
| url = http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf | title = Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules | date = January 31, 2014 | publisher = National Institute of Standards and Technology }}</ref> crypto modules. === Alternative authentication protocols ===
| |||