RFC 2069 (rfc2069) - Page 3 of 18
An Extension to HTTP : Digest Access Authentication
Alternative Format: Original Text Document
RFC 2069 Digest Access Authentication January 1997
1.2 Overall Operation
Like Basic Access Authentication, the Digest scheme is based on a
simple challenge-response paradigm. The Digest scheme challenges
using a nonce value. A valid response contains a checksum (by
default the MD5 checksum) of the username, the password, the given
nonce value, the HTTP method, and the requested URI. In this way,
the password is never sent in the clear. Just as with the Basic
scheme, the username and password must be prearranged in some fashion
which is not addressed by this document.
1.3 Representation of digest values
An optional header allows the server to specify the algorithm used to
create the checksum or digest. By default the MD5 algorithm is used
and that is the only algorithm described in this document.
For the purposes of this document, an MD5 digest of 128 bits is
represented as 32 ASCII printable characters. The bits in the 128
bit digest are converted from most significant to least significant
bit, four bits at a time to their ASCII presentation as follows.
Each four bits is represented by its familiar hexadecimal notation
from the characters 0123456789abcdef. That is, binary 0000 gets
represented by the character '0', 0001, by '1', and so on up to the
representation of 1111 as 'f'.
1.4 Limitations
The digest authentication scheme described in this document suffers
from many known limitations. It is intended as a replacement for
basic authentication and nothing more. It is a password-based system
and (on the server side) suffers from all the same problems of any
password system. In particular, no provision is made in this
protocol for the initial secure arrangement between user and server
to establish the user's password.
Users and implementors should be aware that this protocol is not as
secure as kerberos, and not as secure as any client-side private-key
scheme. Nevertheless it is better than nothing, better than what is
commonly used with telnet and ftp, and better than Basic
authentication.
2. Digest Access Authentication Scheme
2.1 Specification of Digest Headers
The Digest Access Authentication scheme is conceptually similar to
the Basic scheme. The formats of the modified WWW-Authenticate
Franks, et. al. Standards Track