Digest authentication was originally specified by RFC 2069. This specifies a roughly traditional digest authentication scheme with security maintained by a server-generated nonce value. The authentication response is formed as follows (where HA1 and HA2 are names of string variables)
HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)
RFC 2069 is later replaced by RFC 2617 (HTTP authentication : Basic and Digest Access Authentication). RFC 2617 introduced a number of optional security enhancements to the digest authentication; “quality of protection” (qop), nonce counter incremented by the client, a client generated random nonce.
If the Algorithm directive is “MD5” or unspecified, then HA1 is,
HA1 = MD5(username:realm:password)
If the algorithm directive value is “MD5-sess” then HA1 is
HA1 = MD5(MD5(username:realm:password):nonce:cnonce)
If the qop directive is “auth” or unspecified, then HA2 is
HA2 = MD5(method:digestURI)
If the qop directive is “auth-int” then HA2 is
HA2 = MD5(method:digestURI:MD5(entireBody))
If the qop is not specified then the response is computed as follows
response = MD5(HA1:nonce:HA2)
if the qop is specified as “auth“ or “auth-int”, then the response is computed as follows
response = MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)
References:
No comments:
Post a Comment