RFC 2069 (rfc2069) - Page 2 of 18
An Extension to HTTP : Digest Access Authentication
Alternative Format: Original Text Document
RFC 2069 Digest Access Authentication January 1997
Table of Contents
INTRODUCTION...................................................... 2
1.1 PURPOSE .................................................... 2
1.2 OVERALL OPERATION .......................................... 3
1.3 REPRESENTATION OF DIGEST VALUES ............................ 3
1.4 LIMITATIONS ................................................ 3
2. DIGEST ACCESS AUTHENTICATION SCHEME............................ 3
2.1 SPECIFICATION OF DIGEST HEADERS ............................. 3
2.1.1 THE WWW-AUTHENTICATE RESPONSE HEADER ..................... 4
2.1.2 THE AUTHORIZATION REQUEST HEADER ......................... 6
2.1.3 THE AUTHENTICATION-INFO HEADER ........................... 9
2.2 DIGEST OPERATION ............................................ 10
2.3 SECURITY PROTOCOL NEGOTIATION ............................... 10
2.4 EXAMPLE ..................................................... 11
2.5 PROXY-AUTHENTICATION AND PROXY-AUTHORIZATION ................ 11
3. SECURITY CONSIDERATIONS........................................ 12
3.1 COMPARISON WITH BASIC AUTHENTICATION ........................ 13
3.2 REPLAY ATTACKS .............................................. 13
3.3 MAN IN THE MIDDLE ........................................... 14
3.4 SPOOFING BY COUNTERFEIT SERVERS ............................. 15
3.5 STORING PASSWORDS ........................................... 15
3.6 SUMMARY ..................................................... 16
4. ACKNOWLEDGMENTS............................................... 16
5. REFERENCES..................................................... 16
6. AUTHORS' ADDRESSES............................................. 17
Introduction
1.1 Purpose
The protocol referred to as "HTTP/1.0" includes specification for a
Basic Access Authentication scheme[1]. This scheme is not considered
to be a secure method of user authentication, as the user name and
password are passed over the network in an unencrypted form. A
specification for a new authentication scheme is needed for future
versions of the HTTP protocol. This document provides specification
for such a scheme, referred to as "Digest Access Authentication".
The Digest Access Authentication scheme is not intended to be a
complete answer to the need for security in the World Wide Web. This
scheme provides no encryption of object content. The intent is simply
to create a weak access authentication method which avoids the most
serious flaws of Basic authentication.
It is proposed that this access authentication scheme be included in
the proposed HTTP/1.1 specification.
Franks, et. al. Standards Track