RFC 2617 (rfc2617) - Page 2 of 34


HTTP Authentication: Basic and Digest Access Authentication



Alternative Format: Original Text Document



RFC 2617                  HTTP Authentication                  June 1999


   Like Basic, Digest access authentication verifies that both parties
   to a communication know a shared secret (a password); unlike Basic,
   this verification can be done without sending the password in the
   clear, which is Basic's biggest weakness. As with most other
   authentication protocols, the greatest sources of risks are usually
   found not in the core protocol itself but in policies and procedures
   surrounding its use.

Table of Contents

   1   Access Authentication................................   3
    1.1   Reliance on the HTTP/1.1 Specification............   3
    1.2   Access Authentication Framework...................   3
   2   Basic Authentication Scheme..........................   5
   3   Digest Access Authentication Scheme..................   6
    3.1   Introduction......................................   6
     3.1.1  Purpose.........................................   6
     3.1.2  Overall Operation...............................   6
     3.1.3  Representation of digest values.................   7
     3.1.4  Limitations.....................................   7
    3.2   Specification of Digest Headers...................   7
     3.2.1  The WWW-Authenticate Response Header............   8
     3.2.2  The Authorization Request Header................  11
     3.2.3  The Authentication-Info Header..................  15
    3.3   Digest Operation..................................  17
    3.4   Security Protocol Negotiation.....................  18
    3.5   Example...........................................  18
    3.6   Proxy-Authentication and Proxy-Authorization......  19
   4   Security Considerations..............................  19
    4.1   Authentication of Clients using Basic
          Authentication....................................  19
    4.2   Authentication of Clients using Digest
          Authentication....................................  20
    4.3   Limited Use Nonce Values..........................  21
    4.4   Comparison of Digest with Basic Authentication....  22
    4.5   Replay Attacks....................................  22
    4.6   Weakness Created by Multiple Authentication
          Schemes...........................................  23
    4.7   Online dictionary attacks.........................  23
    4.8   Man in the Middle.................................  24
    4.9   Chosen plaintext attacks..........................  24
    4.10  Precomputed dictionary attacks....................  25
    4.11  Batch brute force attacks.........................  25
    4.12  Spoofing by Counterfeit Servers...................  25
    4.13  Storing passwords.................................  26
    4.14  Summary...........................................  26
   5   Sample implementation................................  27
   6   Acknowledgments......................................  31



Franks, et al.              Standards Track