view Side-By-Side changes
HTTP Working Group J. Franks, Northwestern University
INTERNET DRAFT P. Hallam-Baker, M.I.T.
<draft-ietf-http-authentication-00>
<draft-ietf-http-authentication-01> J. Hostetler, Spyglass, Inc.
P. Leach, Microsoft Corporation
A. Luotonen, Netscape Communications Corporation
E. Sink, Spyglass, Inc.
L. Stewart, Open Market, Inc.
S. Lawrence, Agranat, Inc.
Expires: May 21, September 13, 1998 March 13, 1998 November 21, 1997
HTTP Authentication: Basic and Digest Access Authentication
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress".
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
Distribution of this document is unlimited. Please send comments to the
HTTP working group at <http-wg@cuckoo.hpl.hp.com>. Discussions of the
working group are archived at
<URL:http://www.ics.uci.edu/pub/ietf/http/>. General discussions about
HTTP and the applications which use HTTP should take place on the <www-
talk@w3.org> mailing list.
Abstract
"HTTP/1.0"
''HTTP/1.0'' includes the specification for a Basic Access Authentication
scheme. This scheme is not considered to be a secure method of user
authentication (unless used in conjunction with some external secure
system such as SSL [5]), as the user name and password are passed over
the network as clear text. cleartext.
This document also provides the specification for HTTP's authentication
framework, the original Basic authentication scheme and a scheme based
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
on cryptographic hashes, referred to as "Digest ''Digest Access Authentication". Authentication''.
It is therefore also intended to also serve as a replacement for RFC 2069.[6] 2069
[6]. Some optional elements specified by RFC 2069 have been removed
from this specification due to problems found since its publication;
other new elements have been added -for compatibility, those new
elements have been made optional, but are strongly recommended.
Like Basic, Digest access authentication verifies that both parties to a
communication know a shared secret (a password); unlike Basic, this
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
verification can be done without sending the password in the clear,
which is Basic's biggest weakness. As with most other authentication
protocols, the greatest sources of risks are usually found not in the
core protocol itself but in policies and procedures surrounding its use.
Franks, et al. [Page 2]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997 13 March 1998
Table of Contents
HTTP AUTHENTICATION: BASIC AND DIGEST ACCESS AUTHENTICATION1
Status of this Memo........................................1
Abstract...................................................1
Table of Contents..........................................3
1 Access Authentication .................................5
1.1 Reliance on the HTTP/1.1 Specification ............5 ..............5
1.2 Access Authentication Framework ...................5 .....................5
2 Basic Authentication Scheme ...........................6
3 Digest Access Authentication Scheme ...................7
3.1 Introduction ......................................7 ........................................7
3.1.1 Purpose .........................................7 ..........................................7
3.1.2 Overall Operation ...............................8 ................................8
3.1.3 Representation of digest values .................8 ..................8
3.1.4 Limitations .....................................8 ......................................8
3.2 Specification of Digest Headers ...................9 .....................8
3.2.1 The WWW-Authenticate Response Header ............9 .............9
3.2.2 The Authorization Request Header ...............11 ................11
3.2.3 The Authentication-Info Header .................14 ..................15
3.3 Digest Operation .................................15 ...................................16
3.4 Security Protocol Negotiation ....................16 ......................16
3.5 Example ..........................................16 ............................................17
3.6 Proxy-Authentication and Proxy-Authorization .....17 .......17
4 Security Considerations ..............................18
4.1 Authentication of Clients using Basic Authentication 18 Authentication18
4.2 Authentication of Clients using Digest Authentication 19
4.3 Offering a Choice of Authentication Schemes ......19 Limited Use Nonce Values ...........................19
4.4 Comparison of Digest with Basic Authentication ...20 .....20
4.5 Replay Attacks ...................................20 .....................................20
4.6 Weakness Created by Multiple Authentication Schemes 21
4.7 Online dictionary attacks ..........................21
4.8 Man in the Middle ................................21
4.7 ..................................22
4.9 Chosen plaintext attacks ...........................22
4.10 Precomputed dictionary attacks .....................23
4.11 Batch brute force attacks ..........................23
4.12 Spoofing by Counterfeit Servers ..................22
4.8 ....................23
4.13 Storing passwords ................................22
4.9 ..................................23
4.14 Summary ..........................................23 ............................................24
5 Acknowledgments ......................................23 ......................................24
6 References ...........................................23 ...........................................25
7 Authors' Addresses ...................................24
Index.....................................................26 ...................................25
Franks, et al. [Page 3]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
Franks, et al. [Page 4]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997 13 March 1998
1 Access Authentication
1.1 Reliance on the HTTP/1.1 Specification
This specification is a companion two to the HTTP/1.1 specification [2]. It
uses using the extended BNF section 2.1 of that document, and relies on
both the BNF defined in that document, document and other aspects of the HTTP/1.1
specification.
1.2 Access Authentication Framework
HTTP provides a simple challenge-response authentication mechanism which
MAY be used by a server to challenge a client request and by a client to
provide authentication information. It uses an extensible,
case-insensitive case-
insensitive token to identify the authentication scheme, followed by a
comma-separated list of attribute-value pairs which carry the parameters
necessary for achieving authentication via that scheme.
auth-scheme = token
auth-param = token "=" ( token | quoted-string )
The 401 (Unauthorized) response message is used by an origin server to
challenge the authorization of a user agent. This response MUST include
a WWW-Authenticate header field containing at least one challenge
applicable to the requested resource. The 407 (Proxy Authentication
Required) response message is used by a proxy to challenge the
authorization of a client and MUST include a Proxy-Authenticate header
field containing a challenge applicable to the proxy for the requested
resource.
challenge = auth-scheme 1*SP 1#auth-param
The authentication parameter realm is defined for all authentication
schemes:
realm = "realm" "=" realm-value
realm-value = quoted-string
The realm attribute (case-insensitive) is required for all
authentication schemes which issue a challenge. The realm value (case-
sensitive), in combination with the canonical root URL (see section
5.1.2 of [2]) of the server being accessed, defines the protection
space. These realms allow the protected resources on a server to be
partitioned into a set of protection spaces, each with its own
authentication scheme and/or authorization database. The realm value is
a string, generally assigned by the origin server, which may have
additional semantics specific to the authentication scheme.
A user agent that wishes to authenticate itself with an origin server--
usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
do so by including an Authorization header field with the request. A
Franks, et al. [Page 5]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
client that wishes to authenticate itself with a proxy--usually, but not
Franks, et al. [Page 5]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
do so by including a Proxy-Authorization header field with the request.
Both the Authorization field value and the Proxy-Authorization field
value consists consist of credentials containing the authentication information
of the client for the realm of the resource being requested.
credentials = basic-credentials | auth-scheme #auth-param
The protection space determines the domain over which credentials can be
automatically applied. If a prior request has been authorized, the same
credentials MAY be reused for all other requests within that protection
space for a period of time determined by the authentication scheme,
parameters, and/or user preference. Unless otherwise defined by the
authentication scheme, a single protection space cannot extend outside
the scope of its server.
If the origin server does not wish to accept the credentials sent with a
request, it SHOULD return a 401 (Unauthorized) response. The response
MUST include a WWW-Authenticate header field containing at least one
(possibly new) challenge applicable to the requested resource. If a
proxy does not accept the credentials sent with a request, it SHOULD
return a 407 (Proxy Authentication Required). The response MUST include
a Proxy-Authenticate header field containing a (possibly new) challenge
applicable to the proxy for the requested resource.
The HTTP protocol does not restrict applications to this simple
challenge-response mechanism for access authentication. Additional
mechanisms MAY be used, such as encryption at the transport level or via
message encapsulation, and with additional header fields specifying
authentication information. However, these additional mechanisms are not
defined by this specification.
Proxies MUST be completely transparent regarding user agent
authentication by origin servers. That is, they MUST must forward the WWW-
Authenticate and Authorization headers untouched, and follow the rules
found in section 14.8 of [2]. Both the Proxy-Authenticate and the Proxy-
Authorization header fields are hop-by-hop headers (see section 13.5.1
of [2]).
2 Basic Authentication Scheme
The "basic" authentication scheme is based on the model that the client
must authenticate itself with a user-ID and a password for each realm.
The realm value should be considered an opaque string which can only be
compared for equality with other realms on that server. The server will
service the request only if it can validate the user-ID and password for
the protection space of the Request-URI. There are no optional
authentication parameters.
For Basic, the framework above is utilized as follows:
credentials = basic-credentials
challenge = "Basic" realm
Franks, et al. [Page 6]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997 13 March 1998
Upon receipt of an unauthorized request for a URI within the protection
space, the origin server MAY respond with a challenge like the
following:
WWW-Authenticate: Basic realm="WallyWorld"
where "WallyWorld" is the string assigned by the server to identify the
protection space of the Request-URI. A proxy may respond with the same
challenge using the Proxy-Authenticate header field.
To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 [7] encoded [7]encoded
string in the credentials.
basic-credentials = "Basic" SP base64-user-pass
base64-user-pass = <base64 [4] encoding of user-pass,
except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
Userids might be case sensitive.
If the user agent wishes to send the userid "Aladdin" and password "open
sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
A client SHOULD assume that all paths at or deeper than the depth of the
last symbolic element in the path field of the Request-URI also are
within the protection space specified by the Basic realm value of the
current challenge. A client MAY send the corresponding Authorization
header with requests for resources in that space without receipt of
another challenge from the server.
If a client wishes to send the same userid and password to a proxy, it
would use the Proxy-Authorization header field. See section 4 for
security considerations associated with Basic authentication.
3 Digest Access Authentication Scheme
3.1 Introduction
3.1.1 Purpose
The protocol referred to as "HTTP/1.0" includes the specification for a
Basic Access Authentication scheme[1]. This scheme is not considered to
be a secure method of user authentication, as the user name and password
are passed over the network in an unencrypted form. This document
Franks, et al. [Page 7]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
provides the specification for such a scheme, which does not send the
password in cleartext. It is referred to as "Digest Access
Authentication".
Franks, et al. [Page 7]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
The Digest Access Authentication scheme is not intended to be a complete
answer to the need for security in the World Wide Web. This scheme
provides no encryption of object message content. The intent is simply to
create
a weak an access authentication method, method which avoids the most serious
flaws of Basic authentication.
3.1.2 Overall Operation
Like Basic Access Authentication, the Digest scheme is based on a simple
challenge-response paradigm. The Digest scheme challenges using a nonce
value. A valid response contains a checksum (by default the MD5
checksum) of the username, the password, the given nonce value, the HTTP
method, and the requested URI. In this way, the password is never sent
in the clear. Just as with the Basic scheme, the username and password
must be prearranged in some fashion which is not addressed by this document.
3.1.3 Representation of digest values
An optional header allows the server to specify the algorithm used to
create the checksum or digest. By default the MD5 algorithm is used and
that is the only algorithm described in this document.
For the purposes of this document, an MD5 digest of 128 bits is
represented as 32 ASCII printable characters. The bits in the 128 bit
digest are converted from most significant to least significant bit,
four bits at a time to their ASCII presentation as follows. Each four
bits is represented by its familiar hexadecimal notation from the
characters 0123456789abcdef. That is, binary 0000 gets represented by
the character '0', 0001, by '1', and so on up to the representation of
1111 as 'f'.
3.1.4 Limitations
The digest Digest authentication scheme described in this document suffers from
many known limitations. It is intended as a replacement for basic Basic
authentication and nothing more. It is a password-based system and (on
the server side) suffers from all the same problems of any password
system. In particular, no provision is made in this protocol for the
initial secure arrangement between user and server to establish the
user's password.
Users and implementors should be aware that this protocol is not as
secure as kerberos, Kerberos, and not as secure as any client-side private-key
Franks, et al. [Page 8]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
scheme. Nevertheless it is better than nothing, better than what is
commonly used with telnet and ftp, and better than Basic authentication.
3.2 Specification of Digest Headers
The Digest Access Authentication scheme is conceptually similar to the
Basic scheme. The formats of the modified WWW-Authenticate header line
and the Authorization header line are specified below. In addition, a
new header, Authentication-Info, is specified.
Franks, et al. [Page 8]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
3.2.1 The WWW-Authenticate Response Header
If a server receives a request for an access-protected object, and an
acceptable Authorization header is not sent, the server responds with a
"401 Unauthorized" status code, and a WWW-Authenticate header, header as per the
framework defined above, which for the digest scheme is
defined utilized as follows:
WWW-Authenticate
follows :
challenge = "WWW-Authenticate" ":" "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ digest-required ]) qop-options ] )
domain = "domain" "=" <"> URI ( 1*SP URI ) <">
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | token "MD5-sess" )
digest-required
qop-options = "digest-required" "qop" "=" ( "true" <"> 1#qop-value <">
qop-value = "auth" | "false" ) "auth-int" | token
The meanings of the values of the parameters used above are as follows:
realm
A string to be displayed to users so they know which username and
password to use. This string should contain at least the name of the
host performing the authentication and might additionally indicate
the collection of users who might have access. An example might be
"registered_users@gotham.news.com".
domain
A space-separated list of URIs, as specified in RFC XURI [7]. The
intent is that the client could use this information to know the set
of URIs for which the same authentication information should be sent.
The URIs in this list may exist on different servers. If this keyword
Franks, et al. [Page 9]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
is omitted or empty, the client should assume that the domain
consists of all URIs on the responding server.
nonce
A server-specified data string which may be uniquely generated each
time a 401 response is made. It is recommended that this string be
base64 or hexadecimal data. Specifically, since the string is passed
in the header lines as a quoted string, the double-quote character is
not allowed.
The contents of the nonce are implementation dependent. The quality
of the implementation depends on a good choice. A recommended nonce
would include
H(client-IP ":" time-stamp ":" private-key)
Where client-IP is might, for
example, be constructed as the dotted quad IP address base 64 encoding of the client making
the request,
time-stamp H(time-stamp ":" ETag ":" private-key)
where time-stamp is a server-generated time or other non-repeating
value, ETag is the value of the HTTP ETag header associated with the
Franks, et al. [Page 9]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
requested entity, and private-key is data known only to the server.
With a nonce of this form a server would normally recalculate the nonce hash portion
after receiving the client authentication header and reject the
request if it did not match the nonce from that header. header or if the
time-stamp value is not recent enough. In this way the server can
limit the reuse time of the nonce's validity. The inclusion of the ETag
prevents a nonce to replay request for an updated version of the resource.
(Note: including the IP address of the client in the nonce would
appear to which it was issued and limit offer the time
of server the nonce's validity. Further discussion ability to limit the reuse of the rationale for
nonce construction is to the same client that originally got it. However, that would
break proxy farms, where requests from a single user often go through
different proxies in section 4.5 below. the farm. Also, IP address spoofing is not that
hard.)
An implementation might choose not to accept a previously used nonce
or a previously used digest to protect against a replay attack. Or,
an implementation might choose to use one-time nonces or digests for
POST or PUT requests and a time-stamp for GET requests. For more
details on the issues involved see section 4 4. of this document.
The nonce is opaque to the client.
opaque
A string of data, specified by the server, which should be returned
by the client unchanged. It is recommended that this string be base64
or hexadecimal data.
stale
A flag, indicating that the previous request from the client was
rejected because the nonce value was stale. If stale is TRUE (in
upper or lower case), (case-
insensitive), the client may wish to simply retry the request with a
new encrypted response, without reprompting the user for a new
username and password. The server should only set stale to true if it
receives a request for which the nonce is invalid but with a valid
digest for that nonce (indicating that the client knows the correct
username/password).
algorithm
A string indicating a pair of algorithms used to produce the digest
and a checksum. If this is not present it is assumed to be "MD5". In
Franks, et al. [Page 10]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
this document the string obtained by applying the digest algorithm to
the data "data" with secret "secret" will be denoted by KD(secret,
data), and the string obtained by applying the checksum algorithm to
the data "data" will be denoted H(data). The notation unq(X) means
the value of the quoted-string X without the surrounding quotes.
For the "MD5" algorithm and "MD5-sess" algorithms
H(data) = MD5(data)
and
KD(secret, data) = H(concat(secret, ":", data))
i.e., the digest is the MD5 of the secret concatenated with a
colon concatenated with the data.
digest-required
If The "MD5-sess" algorithm is
Franks, et al. [Page 10]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
intended to allow efficient 3rd party authentication servers;
for the value of difference in usage, see the digest-required parameter description .
qop-options
This attribute is "true", then
any request with an entity-body (such as a PUT or a POST) optional, but is made so only for
the resource(s) to which backward
compatibility with RFC 2069 [6]; it SHOULD be used by all
implementations compliant with this response applies MUST include version of the "digest" attribute in its Authorization header. Digest scheme.
If the
request has no entity-body (such as present, it is a GET) then quoted string of one or more tokens indicating
the digest-
required "quality of protection" values supported by the server. The
value can be ignored. If the digest-required
parameter is not specified, then its value is "false". If "auth" indicates authentication; the value of "auth-int" indicates
authentication with integrity protection; see the digest-required parameter is "false", then descriptions below
for calculating the
"digest" response attribute is OPTIONAL on requests value for the resource(s)
to which the response applies. application of
this choice.
3.2.2 The Authorization Request Header
The client is expected to retry the request, passing an
Authorization header line, which is defined according to the
framework above, utilized as follows.
Authorization
credentials = "Authorization" ":" "Digest" digest-response
Digest-response
digest-response = 1#( username | realm | nonce | digest-uri |
response | [ digest algorithm ] | [cnonce] |
[opaque] | [server] | [message-qop] |
[ algorithm nonce-count ] |
opaque )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
response
message-qop = "response" "qop" "=" response-digest
digest qop-value
cnonce = "digest" "cnonce" "=" entity-digest
response-digest cnonce-value
cnonce-value = <"> *LHEX <">
entity-digest nonce-value
nonce-count = <"> *LHEX <">
Franks, et al. [Page 11]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997 "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7"
|"8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"
The values of the opaque and algorithm fields must be those
supplied in the WWW-Authenticate response header for the entity
being requested.
If the value
response
A string of 32 hex digits computed as defined below, which proves
that the digest-required parameter is "true", user knows a password
username
The user's name in the
response specified realm.
Franks, et al. [Page 11]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
digest-uri
The URI from Request-URI of the Request-Line; duplicated here because
proxies are allowed to this request MUST either include change the "digest" field Request-Line in its Authentication-Info header or the response should be an
error message indicating transit.
qop
Indicates what "quality of protection" the server is unable or unwilling client has applied to
supply this field. In the latter case the requested entity
message. If present, its value MUST
not be returned as part one of the response. If alternatives the digest-required
parameter is not specified
server indicated it supports in the request, then its value is
"false". If WWW-Authenticate header. These
values affect the value computation of the digest-required parameter request-digest. Note that this
is
"false", then the "digest" a single token, not a quoted list of alternatives as in WWW-
Authenticate. This attribute is OPTIONAL for the response optional in order to this request.
The definitions preserve
backward compatibility with a minimal implementation of response-digest and entity-digest above
indicate RFC 2069 [6],
but SHOULD be used if the encoding for their values. The following definitions
show how server indicated that it is supported by
providing a qop attribute in the WWW-Authenticate header field.
cnonce
An opaque quoted string value is computed:
response-digest =
<"> < KD provided by the client and used by both
client and server to avoid chosen plaintext attacks, to provide
mutual authentication, and to provide some message integrity
protection. See the descriptions below of the calculation of the
response-digest and request-digest values.
nonce-count
This MUST be specified if a qop attribute is sent (see above), and
MUST NOT be specified if the server did not send a qop attribute in
the WWW-Authenticate header field. The nc-value is the hexadecimal
count of the number of requests (including the current request) that
the client has sent with the nonce value in this request. For
example, in the first request sent in response to a given nonce
value, the client sends "nc=0001". The purpose of this attribute is
to allow the server to detect request replays by maintaining its own
copy of this count - if the same nc-value is seen twice, then the
request is a replay. See the description below of the construction
of the request-digest value.
The definition of request-digest above indicates the encoding for
its value. The following definitions show how the value is
computed.
If the "algorithm" directive is not present, or its value is
"MD5", then response-digest is computed as follows.
If the "qop" directive is not present (this construction is for
compatibility with RFC 2069):
request-digest =
<"> < KD ( H(A1), unquoted nonce-value unq(nonce-value) ":" H(A2) ) >
<">
see below for the defintions for A1 and A2.
If the "qop" value is "auth":
request-digest = unquoted username-value <"> < KD ( H(A1), unq(nonce-value)
":" unquoted realm-value nc-value
":" unq(cnonce-value)
Franks, et al. [Page 12]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
":" unq(qop-value)
":" H(A2)
) <">
where
passwd = < user's password >
If the "algorithm" directive's value is "MD5" or is unspecified, then A1
is:
A1 = unq(username-value) ":" unq(realm-value) ":" passwd
If the "algorithm" directive's value is "MD5-sess", then A1 is
calculated only once - on the first request by the client
following receipt of a WWW-Authenticate challenge from the
server. It uses the server nonce from that challenge, and the
first client nonce value to construct A1 as follows:
A1 = H( unq(username-value) ":" unq(realm-value) ":"
passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
This creates a 'session key' for the authentication of subsequent
requests and responses which is different for each session, thus
limiting the amount of material hashed with any one key. Because the
server need only use the hash of the user credentials in order to create
the A1 value, this construction could be used as part of authentication
using a third party service so that the web server would not need the
actual password value. The specification of such a protocol is beyond
the scope of this specification.
If the "qop" directive's value is "auth" or is unspecified, then A2 is:
A2 = < user's password > Method ":" digest-uri-value
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value
The ":" H(entity-body)
Note that many of the fields, such as the "username-value" field is field,
are defined as a "quoted-string". However, the "unq" notation
indicates that surrounding quotation marks are removed in forming
the string A1. Thus if the Authorization header includes the
fields
username="Mufasa", realm="myhost@testrealm.com" realm=myhost@testrealm.com
and the user Mufasa has password "CircleOfLife" "Circle Of Life" then H(A1)
would be H(Mufasa:myhost@testrealm.com:CircleOfLife) H(Mufasa:myhost@testrealm.com:Circle Of Life) with no
quotation marks in the digested string.
No white space is allowed in any of the strings to which the
digest function H() is applied unless that white space exists in
the quoted strings or entity body whose contents make up the
Franks, et al. [Page 13]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
string to be digested. For example, the string A1 illustrated
above must be Mufasa:myhost@testrealm.com:CircleOfLife
Mufasa:myhost@testrealm.com:Circle Of Life
with no white space on either side of the colons. colons, but with the
white space between the words used in the password value.
Likewise, the other strings digested by H() must not have white
space on either side
Franks, et al. [Page 12]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997 of the colons which delimit their fields
unless that white space was in the quoted strings or entity body
being digested.
"Method" is the HTTP request method as specified in section 5.1
of [2]. The "request-uri" value is the Request-URI from the
request line as specified in section 5.1 of [2]. This may be "*",
an "absoluteURL" or an "abs_path" as specified in section 5.1.2
of [2], but it MUST agree with the Request-URI. In particular, it
MUST be an "absoluteURL" if the Request-URI is an "absoluteURL".
The authenticating server must assure
Also note that the document
designated by the "uri" parameter if integrity protection is applied (qop=auth-int),
the same as the document
served. The purpose of duplicating information from the request
URL in this field H(entity-body) is to deal with the possibility that an
intermediate proxy may alter the client's request. This altered
(but presumably semantically equivalent) request would not result
in the same digest as that calculated by the client.
The optional "digest" field contains a digest of the entity body
and some of the associated entity headers. This digest can be
useful in both request and response transactions. In a request it
can insure the integrity hash of POST data or data being PUT to the
server. In a response entity body, not the
message body - it insures is computed before any transfer encoding is
applied by the integrity of sender and after it has been removed by the served
document.
recipient.
The "method" value of the "digest" field is an <entity-digest>,
which is defined the HTTP request method as follows.
entity-digest<"> KD (H(A1), unquoted nonce-value ":" Method ":"
date ":" entity-info ":" H(entity-body)) <">
; format is <"> *LHEX <">
date = rfc1123-date ; see section 3.3.1 of[2]
entity-info =
H(
digest-uri-value ":"
media-type ":" ; Content-Type, see section 3.7 of [2]
*DIGIT ":" ; Content-Length, see 10.12 of [2]
content-coding ":" ; Content-Encoding, see 3.5 of [2]
last-modified ":" ; last modified date, see 10.25 of [2]
expires ; expiration date; see 10.19 of [2]
)
last-modified = rfc1123-date ; see specified in
section 3.3.1 5.1 of [2]
expires = rfc1123-date [2]. The entity-info elements incorporate "request-uri" value is the values of Request-URI
from the URI used
to request the entity as well line as the associated entity headers
Content-Type, Content-Length, Content-Encoding, Last-Modified,
and Expires. These headers are all end-to-end headers (see specified in section 13.5.1 5.1 of [2]) which must not [2]. This
may be modified by proxy
Franks, et al. [Page 13]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
caches. The "entity-body" is "*", an "absoluteURL" or an "abs_path" as specified by in
section 10.13 5.1.2 of [2]
or RFC 1864. The content length [2], but it MUST agree with the Request-URI. In
particular, it MUST always be included. The
HTTP/1.1 spec requires that content length is well defined in all
messages, whether or not there is a Content-Length header.
Note that not all entities will have an associated URI or all of
these headers. For example, "absoluteURL" if the Request-URI is an entity which
"absoluteURL". The "cnonce-value" is the data of a POST
request will typically not have a digest-uri-value or Last-
modified or Expires headers. If an entity does not have a digest-
uri-value or a header corresponding optional client-chosen
value whose purpose is to one of the entity-info
fields, then foil chosen plaintext attacks.
The authenticating server must assure that field is left empty in the computation of
entity-info. All document
designated by the colons specified above are present, however.
For example "uri" parameter is the value of same as the entity-info associated with POST
data which has content-type "text/plain", no content-encoding and
a length document
served. The purpose of 255 bytes would be H(:text/plain:255:::). Similarly a duplicating information from the request may not have a "Date" header. In
URL in this case the date field
of is to deal with the entity-digest should be empty.
In possibility that an
intermediate proxy may alter the entity-info and entity-digest computations, except for client's request. This altered
(but presumably semantically equivalent) request would not result
in the
blank after same digest as that calculated by the comma in "rfc1123-date", there must be no white
space between "words" and "separators", and exactly one blank
between "words" (see section 2.2 of [2]). client.
Implementers should be aware of how authenticated transactions
interact with proxy shared caches. The HTTP/1.1 protocol specifies that
when a shared cache (see section 13.10 of [2]) has received a
request containing an Authorization header and a response from
relaying that request, it MUST NOT return that response as a
reply to any other request, unless one of two Cache-Control (see
section 14.9 of [2]) directives was present in the response. If
the original response included the "must-revalidate" Cache-
Control directive, the cache MAY use the entity of that response
in replying to a subsequent request, but MUST first revalidate it
with the origin server, using the request headers from the new
request to allow the origin server to authenticate the new
request. Alternatively, if the original response included the
"public" Cache-Control directive, the response entity MAY be
returned in reply to any subsequent request.
Franks, et al. [Page 14]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
3.2.3 The Authentication-Info Header
When authentication succeeds, the server may optionally provide a
The Authentication-Info header indicating that is used by the server wants to
communicate some information regarding the successful
authentication (such as an entity digest or a new nonce to be
used for in the next transaction). It has two fields, digest and
nextnonce. Both are optional. response.
AuthenticationInfo = "Authentication-Info" ":"
1#( digest auth-info
auth-info = 1#(nextnonce | nextnonce [ message-qop ]
| [ response-auth ] | [ cnonce ]
| [nonce-count] )
Franks, et al. [Page 14]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
nextnonce = "nextnonce" "=" nonce-value
digest
response-auth = "digest" "rspauth" "=" entity-digest
The optional digest allows the client to verify that the body of
the response has not been changed en-route. The server would
probably only send this when it has the document and can compute
it. The server would probably not bother generating this header
for CGI output. The value of the "digest" is an <entity-digest>
which is computed as described above. response-digest
response-digest = <"> *LHEX <">
The value of the nextnonce parameter is the nonce the server
wishes the client to use for the next a future authentication response.
Note that either field is optional. In particular the
The server may send the Authentication-Info header with only the a
nextnonce field as a means of implementing one-time or otherwise
changing nonces. If the nextnonce field is present the client is strongly encouraged to
SHOULD use it for when constructing the Authorization header for its
next WWW- Authenticate header. request. Failure of the client to do so
may result in a to do so may result in a
request to re-authenticate from the server with the "stale=TRUE".
Server implementations should carefully consider the
performance implications of the use of this mechanism;
pipelined requests will not be possible if every response
includes a nextnonce attribute which must be used on the next
request received by the server. Consideration should be given
to the performance vs. security tradeoffs of allowing an old
nonce value to be used for a limited time to permit request
pipelining.
qop
Indicates the "quality of protection" options applied to the
response by the server. The value "auth" indicates authentication;
the value "auth-int" indicates authentication with integrity
protection. The server SHOULD use the same value for the qop
directive in the response as was sent by the client in the
corresponding request.
The optional response digest in the "rspauth" directive supports
mutual authentication -- the server proves that it knows the
user's secret, and with qop=auth-int also provides limited
integrity protection of the response. The response-digest value
is calculated as for the request-digest in the Authorization
header, except that if "qop=auth" or is not specified in the
Authorization header for the request, A2 is
A2 = Status-Code ":" digest-uri-value
and if "qop=auth-int", then A2 is
A2 = Status-Code ":" digest-uri-value ":" H(entity-body)
where "Status-Code" is the status code (e.g., "200") from the
"Status-Line" of the response, as defined in section 6.1 of [2],
Franks, et al. [Page 15]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
and "digest-uri-value" is the value of the "uri" directive on the
Authorization header in the request. The "cnonce-value" MUST be
one for the client request to re-authenticate from the server with which this message is the "stale=TRUE ". response.
The Authentication-Info header is allowed in the trailer of an
HTTP message transferred via chunked transfer-coding.
3.3 Digest Operation
Upon receiving the Authorization header, the server may check its
validity by looking up its known password which corresponds to
the submitted username. Then, the server must perform the same
MD5
digest operation (e.g., MD5) performed by the client, and compare
the result to the given response-digest. request-digest value.
Note that the HTTP server does not actually need to know the
user's clear text cleartext password. As long as H(A1) is available to the
server, the validity of an Authorization header may be verified.
A client may remember the username, password and nonce values, so
that future requests within the specified <domain> may include
the Authorization header preemptively. The server may choose to
accept the old Authorization header information, even though the
nonce value included might not be fresh. Alternatively, the
server could return a 401 response with a new nonce value,
causing the client to retry the request. By specifying stale=TRUE
with this response, the server hints to the client that the
request should be retried with the new nonce, without reprompting
the user for a new username and password.
The opaque data is useful for transporting state information
around. information. For
example, a server could be responsible for authenticating content
which actually sits on another server. The
Franks, et al. [Page 15]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997 first 401 response
would include a domain field which includes the URI on the second
server, and the opaque field for specifying state information.
The client will retry the request, at which time the server may
respond with a 301/302 redirection, pointing to the URI on the
second server. The client will follow the redirection, and pass
the same Authorization header, including the <opaque> data which
the second server may require.
As with the basic scheme, proxies must be completely transparent
in the Digest access authentication scheme. That is, they must
forward the WWW-Authenticate, Authentication-Info and
Authorization headers untouched. If a proxy wants to authenticate
a client before a request is forwarded to the server, it can be
done using the Proxy-Authenticate and Proxy-Authorization headers
described in section 3.6 below.
3.4 Security Protocol Negotiation
It is useful for a server to be able to know which security
schemes a client is capable of handling.
Franks, et al. [Page 16]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
It is possible that a server may want to require Digest as its
authentication method, even if the server does not know that the
client supports it. A client is encouraged to fail gracefully if
the server specifies any only authentication scheme schemes it cannot
handle.
3.5 Example
The following example assumes that an access-protected document
is being requested from the server. The URI of the document is
"http://www.nowhere.org/dir/index.html". Both client and server
know that the username for this document is "Mufasa", and the
password is "CircleOfLife". "Circle Of Life" (with one space between each of the
three words).
The first time the client requests the document, no Authorization
header is sent, so the server responds with:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
The client may prompt the user for the username and password,
after which it will respond with a new request, including the
following Authorization header:
Authorization: Digest username="Mufasa",
Franks, et al. [Page 16]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
response="1949323746fe6a43ef61f9606e7febea",
qop=auth,
nc=0001,
cnonce="0a4f113b",
response="96d2de7d9b47e2a6c0eccb6f7ef3548f",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
3.6 Proxy-Authentication and Proxy-Authorization
The digest authentication scheme may also be used for
authenticating users to proxies, proxies to proxies, or proxies
to end origin servers by use of the Proxy-Authenticate and Proxy-
Authorization headers. These headers are instances of the general
Proxy-Authenticate and Proxy-Authorization headers specified in
sections 10.30 and 10.31 of the HTTP/1.1 specification [2] and
their behavior is subject to restrictions described there. The
transactions for proxy authentication are very similar to those
already described. Upon receiving a request which requires
authentication, the proxy/server must issue the "HTTP/1.1 401
Unauthorized" header followed by
Unauthorized " response with a "Proxy-Authenticate" header of
the form
Proxy-Authentication = "Proxy-Authentication" ":"
"Digest"
digest-challenge
where header. The
digest-challenge used in the Proxy-Authenticate header is the
Franks, et al. [Page 17]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
same as that for the WWW-Authenticate header as defined above in
section 2.1.
The client/proxy must then re-issue the request with a Proxy-
Authenticate header of the form
Proxy-Authorization = "Proxy-Authorization" ":"
digest-response
where digest-response is
Authorization header, with attributes as defined above specified for the Authorization
header in section 2.1. When
authentication succeeds, TBD above.
On subsequent responses, the server may optionally provide a
Proxy-Authentication-info header of the form sends Proxy-Authentication-Info = "Proxy-Authentication-Info" ":"
nextnonce
where nextnonce has with
attributes the same semantics as the nextnonce field in those for the Authentication-Info header described above in section 3.2.3. field.
Note that in principle a client could be asked to authenticate
itself to both a proxy and an end-server. It might receive an
"HTTP/1.1 401 Unauthorized" header followed by both a WWW-
Authenticate and a Proxy-Authenticate header. However, it can
never receive more than one Proxy-Authenticate header since such
headers are only for immediate connections and must not be passed
Franks, et al. [Page 17]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
on by proxies. If the client receives both headers, it must
respond with both the Authorization and Proxy-Authorization
headers as described above, which will likely involve different
combinations of username, password, nonce, etc.
4 Security Considerations
4.1 Authentication of Clients using Basic Authentication
The Basic authentication scheme is not a secure method of user
authentication, nor does it in any way protect the entity, which is
transmitted in clear text cleartext across the physical network used as the
carrier. HTTP does not prevent additional authentication schemes and
encryption mechanisms from being employed to increase security or the
addition of enhancements (such as schemes to use one-time passwords) to
Basic authentication.
The most serious flaw in Basic authentication is that it results in the
essentially clear text cleartext transmission of the user's password over the
physical network. It is this problem which Digest Authentication
attempts to address.
Because Basic authentication involves the clear text cleartext transmission of
passwords it SHOULD never NOT be used (without enhancements) to protect
sensitive or valuable information.
A common use of Basic authentication is for identification purposes --
requiring the user to provide a user name and password as a means of
identification, for example, for purposes of gathering accurate usage
statistics on a server. When used in this way it is tempting to think
that there is no danger in its use if illicit access to the protected
documents is not a major concern. This is only correct if the server
issues both user name and password to the users and in particular does
not allow the user to choose his or her own password. The danger arises
because naive users frequently reuse a single password to avoid the task
of maintaining multiple passwords.
Franks, et al. [Page 18]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
If a server permits users to select their own passwords, then the threat
is not only illicit access to documents on the server but also illicit
access to the accounts of all users who have chosen to use their account
password. If users are allowed to choose their own password that also
means the server must maintain files containing the (presumably
encrypted) passwords. Many of these may be the account passwords of
users perhaps at distant sites. The owner or administrator of such a
system could conceivably incur liability if this information is not
maintained in a secure fashion.
Basic Authentication is also vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that he is connecting to a host
Franks, et al. [Page 18]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
containing information protected by basic Basic authentication when when, in fact fact,
he is connecting to a hostile server or gateway gateway, then the attacker can
request a password, store it for later use, and feign an error. This
type of attack is not possible with Digest Authentication. Server
implementers SHOULD guard against the possibility of this sort of
counterfeiting by gateways or CGI scripts. In particular it is very
dangerous for a server to simply turn over a connection to a gateway.
That gateway can then use the persistent connection mechanism to engage
in multiple transactions with the client while impersonating the
original server in a way that is not detectable by the client.
4.2 Authentication of Clients using Digest Authentication
Digest Authentication does not provide a strong authentication
mechanism. That is not its intent. It is intended solely to
replace a the much weaker and even more dangerous authentication
mechanism: Basic Authentication. An important design constraint mechanism.
Digest Authentication offers no confidentiality protection beyond
protecting the actual password. All of the rest of the request
and response are available to an eavesdropper.
Digest Authentication offers only limited integrity protection
for the messages in either direction. If qop=auth-int mechanism
is that used, those parts of the new authentication scheme be free message used in the calculation of patent
the WWW-Authenticate and
export restrictions. Authorization header field response
attribute values (see section 3.2.2) are protected. Most header
fields and their values could be modified as a part of a man-in-
the-middle attack.
Many needs for secure HTTP transactions cannot be met by Digest
Authentication. For those needs SSL TLS or SHTTP are more appropriate
protocols. In particular digest Digest authentication cannot be used for
any transaction requiring encrypted content. confidentiality protection.
Nevertheless many functions remain for which digest Digest
authentication is both useful and appropriate.
4.3 Offering a Choice of Authentication Schemes
An HTTP/1.1 server may return multiple challenges with a 401
(Authenticate) response, and each challenge may use a different scheme.
The order of the challenges returned to the user agent is appropriate (any service in the order
present use that the server would prefer they be chosen. The server should order its
challenges with the "most secure" authentication scheme first. A user
agent uses Basic should choose as the challenge to be made switched to the user the first
one that the user agent understands.
When the server offers choices of authentication schemes using the WWW-
Authenticate header, the "security" of the authentication is only Digest as
good soon
as the security of the weakest of the authentication schemes. A
malicious user could capture the set of challenges and try to
authenticate him/herself using the weakest of the authentication
schemes. Thus, the ordering serves more to protect the user's
credentials than the server's information.
A possible man-in-the-middle (MITM) attack would be to add a weak
authentication practical).
4.3 Limited Use Nonce Values
The Digest scheme uses a server-specified nonce to seed the set generation
of choices, hoping that the client will
use one that exposes the user's credentials (e.g. password). For this response-digest value (as specified in section 3.2.2). As shown
Franks, et al. [Page 19]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
reason, 13 March 1998
in the example in 3.2.2, the server is free to construct the nonce such
that it may only be used from a particular client, for a particular
resource, for a limited period of time or number of uses, or any other
restrictions. Doing so strengthens the client protection provided against, for
example, replay attacks (see 4.5). However, it should always use the strongest scheme be noted that it
understands from the choices accepted.
An even better MITM attack would be to remove all offered choices,
method chosen for generating and checking the nonce also has performance
and resource implications. For example, a server may choose to allow
each nonce value to insert be used only once by maintaining a challenge that requests Basic authentication. For this
reason, user agents that are concerned about this kind record of attack could
remember whether
or not each recently issued nonce has been returned and sending a next-
nonce attribute in the strongest authentication scheme ever requested by Authentication-Info header field of every
response. This protects against even an immediate replay attack, but has
a server high cost checking nonce values, and produce perhaps more important will cause
authentication failures for any pipelined requests (presumably returning
a warning message that requires user confirmation before
using stale nonce indication). Similarly, incorporating a weaker one. A particularly insidious way to mount request-specific
element such as the Etag value for a MITM
attack would be resource limits the use of the
nonce to offer a "free" proxy caching service that version of the resource and also defeats pipelining. Thus
it may be useful to gullible
users. do so for methods with side effects but have
unacceptable performance for those that do not.
4.4 Comparison of Digest with Basic Authentication
Both Digest and Basic Authentication are very much on the weak
end of the security strength spectrum. But a comparison between
the two points out the utility, even necessity, of replacing
Basic by Digest.
The greatest threat to the type of transactions for which these
protocols are used is network snooping. This kind of transaction
might involve, for example, online access to a database whose use
is restricted to paying subscribers. With Basic authentication an
eavesdropper can obtain the password of the user. This not only
permits him to access anything in the database, but, often worse,
will permit access to anything else the user protects with the
same password.
By contrast, with Digest Authentication the eavesdropper only gets
access to the transaction in question and not to the user's password.
The information gained by the eavesdropper would permit a replay attack,
but only with a request for the same document, and even that might may be difficult.
limited by the servers choice of nonce.
4.5 Replay Attacks
A replay attack against digest Digest authentication would usually be
pointless for a simple GET request since an eavesdropper would
already have seen the only document he could obtain with a
replay. This is because the URI of the requested document is
digested in the client response request and the server will only deliver
that document. By contrast under Basic Authentication once the
eavesdropper has the user's password, any document protected by
that password is open to him. A GET request containing form data
could only be "replayed" with the identical data. However, this
could be problematic if it caused a CGI script to take some
action on the server.
Franks, et al. [Page 20]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
that password is open to him.
Thus, for some purposes, it is necessary to protect against
replay attacks. A good digest Digest implementation can do this in
Franks, et al. [Page 20]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
various ways. The server created "nonce" value is implementation
dependent, but if it contains a digest of the client IP, a time-
stamp, the resource ETag, and a private server key (as
recommended above) then a replay attack is not simple. An
attacker must convince the server that the request is coming from
a false IP address and must cause the server to deliver the
document to an IP address different from the address to which it
believes it is sending the document. An attack can only succeed
in the period before the time-stamp expires. Digesting the client
IP and time-stamp in the nonce permits an implementation which
does not maintain state between transactions.
For applications where no possibility of replay attack can be
tolerated the server can use one-time response digests nonce values which will not
be honored for a second use. This requires the overhead of the
server remembering which digests nonce values have been used until the
nonce time-stamp (and hence the digest built with it) has
expired, but digest built with it) has
expired, but it effectively protects against replay attacks.
An implementation must give special attention to the possibility
of replay attacks with POST and PUT requests. Unless the server
employs one-time or otherwise limited-use nonces and/or insists
on the use of the integrity protection of qop=auth-int, an
attacker could replay valid credentials from a successful request
with counterfeit form data or other message body. Even with the
use of integrity protection most metadata in header fields is
not protected. Proper nonce generation and checking provides some
protection against replay of previously used valid credentials,
but see 4.8.
4.6 Weakness Created by Multiple Authentication Schemes
An HTTP/1.1 server may return multiple challenges with a 401
(Authenticate) response, and each challenge may use a different scheme.
The order of the challenges returned to the user agent is the order that
the server would prefer they be chosen. The server should order its
challenges with the "most secure" authentication scheme first. A user
agent should choose to use the first challenge it understands and
request credentials from the user based upon that challenge.
When the server offers choices of authentication schemes using the WWW-
Authenticate header, the strength of the resulting authentication is
only as good as that of the of the weakest of the authentication
schemes. See section 4.8 below for discussion of particular attack
scenarios which exploit multiple authentication schemes. Thus, the
ordering serves more to protect the user's credentials than the server's
information.
4.7 Online dictionary attacks
If the attacker can eavesdrop, then it effectively protects can test any overheard
nonce/response pairs against replay attacks.
Instead of maintaining a list of common words. Such a list is
usually much smaller than the values total number of used digests, possible passwords. The
Franks, et al. [Page 21]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
cost of computing the response for each password on the list is paid
once for each challenge.
This attack can be mitigated by checking the password against a
server would hash these values and require re-authentication
whenever
dictionary when a hash collision occurs.
An implementation must give special attention user tries to change it and disallowing passwords that
are in the possibility
of replay attacks with POST dictionary.
4.8 Man in the Middle
Both Basic and PUT requests. A successful replay
attack could result Digest authentication are vulnerable to "man in counterfeit form data or a counterfeit
version of the
middle" (MITM) attacks, for example, from a PUT file. The use of one-time digests hostile or one-time
nonces is recommended. It is compromised
proxy. Clearly, this would present all the problems of eavesdropping.
But it also recommended that offers some additional opportunities to the optional
<digest> attacker.
A possible man-in-the-middle attack would be implemented for use with POST or PUT requests to
assure add a weak
authentication scheme to the integrity set of choices, hoping that the posted data. Alternatively, a server
may choose to allow digest authentication only with GET requests.
Responsible server implementors client will document
use one that exposes the risks described
here as they pertain user's credentials (e.g. password). For this
reason, the client should always use the strongest scheme that it
understands from the choices offered.
An even better MITM attack would be to a given implementation.
4.6 Man in remove all offered choices,
replacing them with a challenge that requests only Basic authentication,
then uses the cleartext credentials from the Middle
Both Basic and Digest authentication are vulnerable to "man in
authenticate to the
middle" attacks, for example, from a hostile or compromised proxy.
Clearly, this would present all origin server using the problems of eavesdropping. But stronger scheme it
could also offer some additional threats.
requested. A simple but effective particularly insidious way to mount such a MITM attack
would be to replace the Digest challenge
with offer a Basic challenge, "free" proxy caching service to spoof the client into revealing their
password. To protect against this attack, clients gullible users.
User agents should remember if consider measures such as presenting a
site has used Digest authentication in visual
indication at the past, and warn time of the user if credentials request of what authentication
scheme is to be used, or remembering the site stops strongest authentication scheme
ever requested by a server and produce a warning message before using it. a
weaker one. It might also be a good idea for the browser user agent to be
configured to demand Digest authentication in general, or from specific
sites.
Franks, et al. [Page 21]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
Or, a hostile proxy might spoof the client into making a request the
attacker wanted rather than one the client wanted. Of course, this is
still much harder than a comparable attack against Basic Authentication.
There are several
4.9 Chosen plaintext attacks on
With Digest authentication, a MITM or a malicious server can arbitrarily
choose the "digest" field in nonce that the Authentication-
Info header. A simple but effective client will use to compute the response. This
is called a "chosen plaintext" attack. The ability to choose the nonce
is known to make cryptanalysis much easier [8].
However, no way to analyze the MD5 one-way function used by Digest using
chosen plaintext is currently known.
The countermeasure against this attack is just to remove for clients to be
configured to require the use of the optional "cnonce" directive; this
allows the client to vary the input to the hash in a way not chosen by
the attacker.
Franks, et al. [Page 22]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
4.10 Precomputed dictionary attacks
With Digest authentication, if the attacker can execute a chosen
plaintext attack, the field,
so that attacker can precompute the client will not be able response for many
common words to a nonce of its choice, and store a dictionary of
(response, password) pairs. Such precomputation can often be done in
parallel on many machines. It can then use it to detect modifications to the response entity. Sensitive applications may wish chosen plaintext attack
to allow
configuration acquire a response corresponding to require that challenge, and just look up
the digest field be present when
appropriate. More subtly, the attacker can alter any of password in the entity-
headers dictionary. Even if most passwords are not incorporated in the computation of
dictionary, some might be. Since the digest. The attacker gets to pick the
challenge, the cost of computing the response for each password on the
list can alter most be amortized over finding many passwords. A dictionary with 100
million password/response pairs would take about 3.2 gigabytes of disk
storage.
The countermeasure against this attack is to for clients to be
configured to require the request headers in use of the client's request, optional "cnonce" directive.
4.11 Batch brute force attacks
With Digest authentication, a MITM can execute a chosen plaintext
attack, and can
alter any response header in gather responses from many users to the origin-server's reply, except those
headers whose values are incorporated into same nonce. It
can then find all the "digest" field.
Alteration passwords within any subset of Accept* or User-Agent request headers can only result password space that
would generate one of the nonce/response pairs in a
denial of service attack single pass over
that returns content in an unacceptable media
type or language. Alteration of cache control headers space. It also can only
result in denial reduces the time to find the first password by a
factor equal to the number of service. Alteration nonce/response pairs gathered. This search
of Host will be detected, if the
full URL is password space can often be done in parallel on many machines,
and even a single machine can search large subsets of the response-digest. Alteration password space
very quickly _ reports exist of Referer searching all passwords with six or From
fewer letters in a few hours.
The countermeasure against this attack is not
important, as these are only hints.
4.7 to for clients to be
configured to require the use of the optional "cnonce" directive.
4.12 Spoofing by Counterfeit Servers
Basic Authentication is vulnerable to spoofing by counterfeit servers.
If a user can be led to believe that she is connecting to a host
containing information protected by a password she knows, when in fact
she is connecting to a hostile server, then the hostile server can
request a password, store it away for later use, and feign an error.
This type of attack is more difficult with Digest Authentication -- but
the client must know to demand that Digest authentication be used,
perhaps using some of the techniques described above to counter "man-in-
the-middle" attacks.
4.8 Again, the user can be helped in detecting this
attack by a visual indication of the authentication mechanism in use
with appropriate guidance in interpreting the implications of each
scheme.
4.13 Storing passwords
Digest authentication requires that the authenticating agent (usually
the server) store some data derived from the user's name and password in
Franks, et al. [Page 23]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
a "password file" associated with a given realm. Normally this might
contain pairs consisting of username and H(A1), where H(A1) is the
digested value of the username, realm, and password as described above.
The security implications of this are that if this password file is
compromised, then an attacker gains immediate access to documents on the
server using this realm. Unlike, say a standard UNIX password file, this
information need not be decrypted in order to access documents in the
server realm associated with this file. On the other hand, decryption,
or more likely a brute force attack, would be necessary to obtain the
user's password. This is the reason that the realm is part of the
Franks, et al. [Page 22]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
digested data stored in the password file. It means that if one digest Digest
authentication password file is compromised, it does not automatically
compromise others with the same username and password (though it does
expose them to brute force attack).
There are two important security consequences of this. First the
password file must be protected as if it contained unencrypted
passwords, because for the purpose of accessing documents in its realm,
it effectively does.
A second consequence of this is that the realm string should be unique
among all realms which any single user is likely to use. In particular a
realm string should include the name of the host doing the
authentication. The inability of the client to authenticate the server
is a weakness of Digest Authentication.
4.9
4.14 Summary
By modern cryptographic standards Digest Authentication is weak. But for
a large range of purposes it is valuable as a replacement for Basic
Authentication. It remedies many, some, but not all, weaknesses of Basic
Authentication. Its strength may vary depending on the implementation.
In particular the structure of the nonce (which is dependent on the
server implementation) may affect the ease of mounting a replay attack.
A range of server options is appropriate since, for example, some
implementations may be willing to accept the server overhead of one-time
nonces or digests to eliminate the possibility of replay. Others may
satisfied with a nonce like the one recommended above restricted to a
single IP address and a single ETag or with a limited lifetime.
The bottom line is that *any* compliant implementation will be
relatively weak by cryptographic standards, but *any* compliant
implementation will be far superior to Basic Authentication.
5 Acknowledgments
In addition to the authors, valuable discussion instrumental in creating
this document has come from Peter J. Churchyard, Ned Freed, and David M.
Kristol.
Jim Gettys and Larry Masinter edited this document for its update.
Franks, et al. [Page 24]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
6 References
[1] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext Transfer
Protocol -- HTTP/1.0", RFC 1945, May 1996.
Franks, et al. [Page 23]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
[2] Fielding, R., Gettys, J., Mogul, J. C., Frysyk, H, Berners-Lee,
T., " Hypertext Transfer Protocol -- HTTP/1.1", Work In Progress of
the HTTP working group, November 1997.
[3] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
1992.
[4] Freed, N., and N. Borenstein. "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Bodies." RFC
2045, Innosoft, First Virtual, November 1996.
[5] Dierks, T. and C. Allen "The TLS Protocol, Version 1.0," Work In
Progress of the TLS working group, November, 1997.
[6] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen,
A., Sink, E., Stewart, L.," An L.,"An Extension to HTTP : Digest Access
Authentication." RFC 2069, January, 1997.
[7] Berners Lee, T, Fielding, R., Masinter, L., "Uniform Resource
Identifiers (URI): Generic Syntax and Semantics ," Semantics," Work in Progress,
November, 1997.
[8] Kaliski, B.,Robshaw, M., "Message Authentication with MD5",
CryptoBytes, Sping 1995, RSA Inc,
(http://www.rsa.com/rsalabs/pubs/cryptobytes/spring95/md5.htm)
7 Authors' Addresses
John Franks
Professor of Mathematics
Department of Mathematics
Northwestern University
Evanston, IL 60208-2730, USA
EMail: john@math.nwu.edu
Phillip M. Hallam-Baker
Principal Consultant
Verisign Inc.
One Alewife Center
Cambridge, MA 02138, USA
EMail: pbaker@verisign.com
Franks, et al. [Page 25]
INTERNET-DRAFT HTTP Authentication Friday 13 March 1998
Jeffery L. Hostetler
Senior Software Engineer
Spyglass, Inc.
3200 Farber Drive
Champaign, IL 61821, USA
EMail: jeff@spyglass.com
Franks, et al. [Page 24]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
Paul J. Leach
Microsoft Corporation
1 Microsoft Way
Redmond, WA 98052, USA
EMail: paulle@microsoft.com
Ari Luotonen
Member of Technical Staff
Netscape Communications Corporation
501 East Middlefield Road
Mountain View, CA 94043, USA
EMail: luotonen@netscape.com
Eric W. Sink
Senior Software Engineer
Spyglass, Inc.
3200 Farber Drive
Champaign, IL 61821, USA
EMail: eric@spyglass.com
Lawrence C. Stewart
Open Market, Inc.
215 First Street
Cambridge, MA 02142, USA
EMail: stewart@OpenMarket.com
Franks, et al. [Page 25]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
Index
While some care was taken producing this index, there is no guarantee
that all occurrences of an index term have been entered into the index.
Italics indicate the definition of a term; bold face is used for the
definition of a header.
credentials, 6
301, 16
13
digest, 11, 12, 13, 14, 15, 21,
22
Digest Access Authentication, 2,
401, 5, 6, 9, 10, 15, 16, 17, 19 8, 9
407, 5, 6 Digest Authentication, 18, 19
411, 6 digest-challenge, 9, 17
digest-required, 9, 11, 12
digest-response, 11, 17
digest-uri, 11
absoluteURL, 13 digest-uri-value, 11, 12, 13, 14
Accept*, 22 domain, 9, 10, 15, 16
Access Authentication, 5
algorithm, 8, 9, 10, 11, 12
AuthenticationInfo, 302, 16 date, 14
Authentication-Info, 9, 12, 14, entity-body, 13, 14
15, 16, 17, 22 entity-digest, 11, 12, 13, 14, 15
Authorization, 5, 6, 7, 9, 11, entity-info, 13, 14
12, 14, 15, 16, 17, 18 expires, 13
auth-param, 5 Expires, 13, 14
auth-scheme, 5
From, 22
base64-user-pass, 7
Basic Access Authentication, 1,
7, 8
Basic authentication, 7, 18, 20 GET, 10, 11, 20, 21
Basic Authentication Scheme, 6
basic-credentials, 7
last-modified, 13
Last-Modified, 13
Cache-Control, 14 LHEX, 11, 12, 13
challenge, 5
content-coding, 13
Content-Encoding, 13
Content-Length, 13 MD5, 8, 9, 10, 11, 15, 24
Content-Type, 13 media-type, 13
Scott D. Lawrence
Agranat Systems, Inc.
1345 Main St.
Waltham, MA 02154, USA
EMail: stewart@OpenMarket.com
Franks, et al. [Page 26]
INTERNET-DRAFT HTTP Authentication Friday 21 November 1997
Method, 12, 13 response, 11, 17
MIME, 24 response-digest, 11, 12, 15, 22
must-revalidate, 14 rfc1123-date, 13, 14
, 17 Security Considerations
nonce, 8, 9, 10, 11, 14, 15, 16, basic scheme is insecure, 18
17, 18, 21, 23 comparison of digest with basic,
nonce-value, 9, 12, 13, 15 20
man in the middle attacks, 21
offering multiple authentication
schemes, 19
opaque, 9, 10, 11, 12, 15, 16, 17 replay attacks against digest nextnonce, 14, 15
authentication, 20
spoofing by counterfeit servers,
22
password, 1, 7, 8, 9, 10, 12, 15, digest weak, 23
16, 18, 20, 21, 22, 23 separators, 14
POST, 10, 11, 13, 14, 21 stale, 9, 10, 15
Proxy-Authenticate, 5, 6, 7, 16,
17
Proxy-Authentication, 17
Proxy-Authentication-Info, 17 token, 5
Proxy-Authorization, 6 true, 12
public, 14
PUT, 10, 11, 13, 21
User-Agent, 22
userid, 7
quoted-string, 5, 9, 11, 12 username, 8, 9, 10, 11, 12, 15,
16, 18, 22, 23
username-value, 11, 12
user-pass, 7
realm, 5, 9, 11, 12, 16, 17, 22,
23
realm-value, 5, 12
Referer, 22 words, 14
request-uri, 11, 13 WWW-Authenticate, 5, 6, 7, 9, 12,
Request-URI, 6, 7, 13 16, 17, 19
Franks, et al. [Page 27]
----