datatracker.ietf.org
Sign in
Version 5.6.2.p2, 2014-07-24
Report a bug

HTTP Authentication: Basic and Digest Access Authentication
RFC 2617

Document type: RFC - Draft Standard (June 1999; Errata)
Updated by RFC 7235
Obsoletes RFC 2069
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 2617 (Draft Standard)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                          J. Franks
Request for Comments: 2617                       Northwestern University
Obsoletes: 2069                                          P. Hallam-Baker
Category: Standards Track                                 Verisign, Inc.
                                                            J. Hostetler
                                                         AbiSource, Inc.
                                                             S. Lawrence
                                                   Agranat Systems, Inc.
                                                                P. Leach
                                                   Microsoft Corporation
                                                             A. Luotonen
                                     Netscape Communications Corporation
                                                              L. Stewart
                                                       Open Market, Inc.
                                                               June 1999

      HTTP Authentication: Basic and Digest Access Authentication

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   "HTTP/1.0", includes the specification for a Basic Access
   Authentication scheme. This scheme is not considered to be a secure
   method of user authentication (unless used in conjunction with some
   external secure system such as SSL [5]), as the user name and
   password are passed over the network as cleartext.

   This document also provides the specification for HTTP's
   authentication framework, the original Basic authentication scheme
   and a scheme based on cryptographic hashes, referred to as "Digest
   Access Authentication".  It is therefore also intended to serve as a
   replacement for RFC 2069 [6].  Some optional elements specified by
   RFC 2069 have been removed from this specification due to problems
   found since its publication; other new elements have been added for
   compatibility, those new elements have been made optional, but are
   strongly recommended.

Franks, et al.              Standards Track                     [Page 1]
RFC 2617                  HTTP Authentication                  June 1999

   Like Basic, Digest access authentication verifies that both parties
   to a communication know a shared secret (a password); unlike Basic,
   this verification can be done without sending the password in the
   clear, which is Basic's biggest weakness. As with most other
   authentication protocols, the greatest sources of risks are usually
   found not in the core protocol itself but in policies and procedures
   surrounding its use.

Table of Contents

   1   Access Authentication................................   3
    1.1   Reliance on the HTTP/1.1 Specification............   3
    1.2   Access Authentication Framework...................   3
   2   Basic Authentication Scheme..........................   5
   3   Digest Access Authentication Scheme..................   6
    3.1   Introduction......................................   6
     3.1.1  Purpose.........................................   6
     3.1.2  Overall Operation...............................   6
     3.1.3  Representation of digest values.................   7
     3.1.4  Limitations.....................................   7
    3.2   Specification of Digest Headers...................   7
     3.2.1  The WWW-Authenticate Response Header............   8
     3.2.2  The Authorization Request Header................  11
     3.2.3  The Authentication-Info Header..................  15
    3.3   Digest Operation..................................  17
    3.4   Security Protocol Negotiation.....................  18
    3.5   Example...........................................  18
    3.6   Proxy-Authentication and Proxy-Authorization......  19
   4   Security Considerations..............................  19
    4.1   Authentication of Clients using Basic
          Authentication....................................  19
    4.2   Authentication of Clients using Digest
          Authentication....................................  20
    4.3   Limited Use Nonce Values..........................  21
    4.4   Comparison of Digest with Basic Authentication....  22
    4.5   Replay Attacks....................................  22
    4.6   Weakness Created by Multiple Authentication

[include full document text]