RFC 2069 (rfc2069) - Page 3 of 18


An Extension to HTTP : Digest Access Authentication



Alternative Format: Original Text Document



RFC 2069              Digest Access Authentication          January 1997


1.2  Overall Operation

   Like Basic Access Authentication, the Digest scheme is based on a
   simple challenge-response paradigm.  The Digest scheme challenges
   using a nonce value.  A valid response contains a checksum (by
   default the MD5 checksum) of the username, the password, the given
   nonce value, the HTTP method, and the requested URI.  In this way,
   the password is never sent in the clear.  Just as with the Basic
   scheme, the username and password must be prearranged in some fashion
   which is not addressed by this document.

1.3  Representation of digest values

   An optional header allows the server to specify the algorithm used to
   create the checksum or digest.  By default the MD5 algorithm is used
   and that is the only algorithm described in this document.

   For the purposes of this document, an MD5 digest of 128 bits is
   represented as 32 ASCII printable characters.  The bits in the 128
   bit digest are converted from most significant to least significant
   bit, four bits at a time to their ASCII presentation as follows.
   Each four bits is represented by its familiar hexadecimal notation
   from the characters 0123456789abcdef.  That is, binary 0000 gets
   represented by the character '0', 0001, by '1', and so on up to the
   representation of 1111 as 'f'.

1.4  Limitations

   The digest authentication scheme described in this document suffers
   from many known limitations.  It is intended as a replacement for
   basic authentication and nothing more.  It is a password-based system
   and (on the server side) suffers from all the same problems of any
   password system.  In particular, no provision is made in this
   protocol for the initial secure arrangement between user and server
   to establish the user's password.

   Users and implementors should be aware that this protocol is not as
   secure as kerberos, and not as secure as any client-side private-key
   scheme.  Nevertheless it is better than nothing, better than what is
   commonly used with telnet and ftp, and better than Basic
   authentication.

2. Digest Access Authentication Scheme

2.1 Specification of Digest Headers

   The Digest Access Authentication scheme is conceptually similar to
   the Basic scheme.  The formats of the modified WWW-Authenticate



Franks, et. al.             Standards Track