datatracker.ietf.org
Sign in
Version 5.13.0, 2015-03-25
Report a bug

An Extension to HTTP : Digest Access Authentication
RFC 2069

Document type: RFC - Proposed Standard (January 1997; Errata)
Obsoleted by RFC 2617
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 2069 (Proposed Standard)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                          J. Franks
Request for Comments: 2069                       Northwestern University
Category: Standards Track                                P. Hallam-Baker
                                                                    CERN
                                                            J. Hostetler
                                                          Spyglass, Inc.
                                                                P. Leach
                                                   Microsoft Corporation
                                                             A. Luotonen
                                     Netscape Communications Corporation
                                                                 E. Sink
                                                          Spyglass, Inc.
                                                              L. Stewart
                                                       Open Market, Inc.
                                                            January 1997

          An Extension to HTTP : Digest Access Authentication

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The protocol referred to as "HTTP/1.0" includes the specification for
   a Basic Access Authentication scheme.  This scheme is not considered
   to be a secure method of user authentication, as the user name and
   password are passed over the network as clear text.  A specification
   for a different authentication scheme is needed to address this
   severe limitation.  This document provides specification for such a
   scheme, referred to as "Digest Access Authentication".  Like Basic,
   Digest access authentication verifies that both parties to a
   communication know a shared secret (a password); unlike Basic, this
   verification can be done without sending the password in the clear,
   which is Basic's biggest weakness. As with most other authentication
   protocols, the greatest sources of risks are usually found not in the
   core protocol itself but in policies and procedures surrounding its
   use.

Franks, et. al.             Standards Track                     [Page 1]
RFC 2069              Digest Access Authentication          January 1997

Table of Contents

   INTRODUCTION......................................................  2
    1.1  PURPOSE ....................................................  2
    1.2  OVERALL OPERATION ..........................................  3
    1.3  REPRESENTATION OF DIGEST VALUES ............................  3
    1.4  LIMITATIONS ................................................  3
   2. DIGEST ACCESS AUTHENTICATION SCHEME............................  3
    2.1 SPECIFICATION OF DIGEST HEADERS .............................  3
     2.1.1 THE WWW-AUTHENTICATE RESPONSE HEADER .....................  4
     2.1.2 THE AUTHORIZATION REQUEST HEADER .........................  6
     2.1.3 THE AUTHENTICATION-INFO HEADER ...........................  9
    2.2 DIGEST OPERATION ............................................ 10
    2.3 SECURITY PROTOCOL NEGOTIATION ............................... 10
    2.4 EXAMPLE ..................................................... 11
    2.5 PROXY-AUTHENTICATION AND PROXY-AUTHORIZATION ................ 11
   3. SECURITY CONSIDERATIONS........................................ 12
    3.1 COMPARISON WITH BASIC AUTHENTICATION ........................ 13
    3.2 REPLAY ATTACKS .............................................. 13
    3.3 MAN IN THE MIDDLE ........................................... 14
    3.4 SPOOFING BY COUNTERFEIT SERVERS ............................. 15
    3.5 STORING PASSWORDS ........................................... 15
    3.6 SUMMARY ..................................................... 16
   4.  ACKNOWLEDGMENTS............................................... 16
   5. REFERENCES..................................................... 16
   6. AUTHORS' ADDRESSES............................................. 17

Introduction

1.1  Purpose

   The protocol referred to as "HTTP/1.0" includes specification for a
   Basic Access Authentication scheme[1].  This scheme is not considered
   to be a secure method of user authentication, as the user name and
   password are passed over the network in an unencrypted form.  A
   specification for a new authentication scheme is needed for future
   versions of the HTTP protocol.  This document provides specification

[include full document text]