idnits 2.17.1 

draft-ietf-http-authentication-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories. 

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard

  == The page length should not exceed 58 lines per page, but there was 31
     longer pages, the longest (page 11) being 67 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There is 1 instance of too long lines in the document, the longest one
     being 188 characters in excess of 72.

  ** The abstract seems to contain references ([5], [6]), which it shouldn't.
      Please replace those with straight textual mentions of the documents in
     question.

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 145: '...user agent. This response MUST include...'
     RFC 2119 keyword, line 149: '... of a client and MUST include a Proxy-...'
     RFC 2119 keyword, line 190: '...agent MUST choose to use one of the ch...'
     RFC 2119 keyword, line 202: '...credentials MAY be reused for all othe...'
     RFC 2119 keyword, line 209: '...request, it SHOULD return a 401 (Unaut...'
     (28 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 710 has weird spacing: '...ptional  clien...'

  == Line 760 has weird spacing: '...hanging  nonce...'

  == Line 1007 has weird spacing: '...ion. If  qop=a...'

  == Line 1010 has weird spacing: '...ve) are  prote...'

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (September 2, 1998) is 9361 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: 'HASHLEN' on line 1308

  -- Looks like a reference, but probably isn't: 'HASHHEXLEN' on line 1367

  == Unused Reference: '3' is defined on line 1503, but no explicit reference
     was found in the text

  ** Downref: Normative reference to an Informational RFC: RFC 1945 (ref. '1')

  -- Possible downref: Non-RFC (?) normative reference: ref. '2'

  ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '3')

  -- Possible downref: Non-RFC (?) normative reference: ref. '5'

  ** Obsolete normative reference: RFC 2069 (ref. '6') (Obsoleted by RFC 2617)

  -- Possible downref: Non-RFC (?) normative reference: ref. '7'

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  -- Possible downref: Non-RFC (?) normative reference: ref. '9'

  -- Possible downref: Non-RFC (?) normative reference: ref. '10'


     Summary: 14 errors (**), 0 flaws (~~), 9 warnings (==), 11 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	HTTP Working Group                  J. Franks, Northwestern University
3	INTERNET DRAFT                         P. Hallam-Baker, Verisign, Inc.
4	<draft-ietf-http-authentication-03>      J. Hostetler, AbiSource, Inc.
5	                                            S. Lawrence, Agranat, Inc.
6	                                       P. Leach, Microsoft Corporation
7	                      A. Luotonen, Netscape Communications Corporation
8	                                         L. Stewart, Open Market, Inc.
9	Expires: March 2, 1999                              September 2, 1998

11	      HTTP Authentication: Basic and Digest Access Authentication

13	Status of this Memo

15	This document is an Internet-Draft. Internet-Drafts are working
16	documents of the Internet Engineering Task Force (IETF), its areas, and
17	its working groups. Note that other groups may also distribute working
18	documents as Internet-Drafts.

20	Internet-Drafts are draft documents valid for a maximum of six months
21	and may be updated, replaced, or made obsolete by other documents at any
22	time. It is inappropriate to use Internet-Drafts as reference material
23	or to cite them other than as "work in progress".

25	To learn the current status of any Internet-Draft, please check the
26	"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
27	Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
28	munnari.oz.au (Pacific Rim), or ftp.isi.edu (US West Coast).

30	Distribution of this document is unlimited. Please send comments to the
31	HTTP working group at <http-wg@hplb.hpl.hp.com>. Discussions of the
32	working group are archived at
33	<URL:http://www.ics.uci.edu/pub/ietf/http/>.

35	Copyright NoticeCopyright (C) The Internet Society (1998). All Rights
36	Reserved. See section 9 for the full copyright notice.

38	Abstract

40	'HTTP/1.0' includes the specification for a Basic Access Authentication
41	scheme. This scheme is not considered to be a secure method of user
42	authentication (unless used in conjunction with some external secure
43	system such as SSL [5]), as the user name and password are passed over
44	the network as cleartext.

46	This document also provides the specification for HTTP's authentication
47	framework, the original Basic authentication scheme and a scheme based
48	on cryptographic hashes, referred to as 'Digest Access Authentication'.
49	It is therefore also intended to serve as a replacement for RFC 2069
50	[6].  Some optional elements specified by RFC 2069 have been removed
51	from this specification due to problems found since its publication;
52	other new elements have been added -for compatibility, those new
53	INTERNET-DRAFT      HTTP Authentication            09/02/98

55	Like Basic, Digest access authentication verifies that both parties to a
56	communication know a shared secret (a password); unlike Basic, this
57	verification can be done without sending the password in the clear,
58	which is Basic's biggest weakness. As with most other authentication
59	protocols, the greatest sources of risks are usually found not in the
60	core protocol itself but in policies and procedures surrounding its use.

62	INTERNET-DRAFT      HTTP Authentication            09/02/98

64	Table of Contents

66	HTTP AUTHENTICATION: BASIC AND DIGEST ACCESS AUTHENTICATION1

68	Status of this Memo........................................1

70	Abstract...................................................1

72	Table of Contents..........................................3

74	1   Access Authentication.................................5
75	 1.1   Reliance on the HTTP/1.1 Specification............5
76	 1.2   Access Authentication Framework...................5

78	2   Basic Authentication Scheme...........................7

80	3   Digest Access Authentication Scheme...................8
81	 3.1   Introduction......................................8
82	  3.1.1  Purpose.........................................8
83	  3.1.2  Overall Operation...............................8
84	  3.1.3  Representation of digest values.................8
85	  3.1.4  Limitations.....................................8
86	 3.2   Specification of Digest Headers...................9
87	  3.2.1  The WWW-Authenticate Response Header............9
88	  3.2.2  The Authorization Request Header...............11
89	  3.2.3  The Authentication-Info Header.................16
90	 3.3   Digest Operation.................................17
91	 3.4   Security Protocol Negotiation....................18
92	 3.5   Example..........................................18
93	 3.6   Proxy-Authentication and Proxy-Authorization.....19

95	4   Security Considerations..............................19
96	 4.1   Authentication of Clients using Basic Authentication    19
97	 4.2   Authentication of Clients using Digest Authentication   20
98	 4.3   Limited Use Nonce Values.........................21
99	 4.4   Comparison of Digest with Basic Authentication...21
100	 4.5   Replay Attacks...................................21
101	 4.6   Weakness Created by Multiple Authentication Schemes22
102	 4.7   Online dictionary attacks........................23
103	 4.8   Man in the Middle................................23
104	 4.9   Chosen plaintext attacks.........................23
105	 4.10  Precomputed dictionary attacks...................24
106	 4.11  Batch brute force attacks........................24
107	 4.12  Spoofing by Counterfeit Servers..................24
108	 4.13  Storing passwords................................24
109	 4.14  Summary..........................................25

111	5   Sample implementation................................25

113	6   Acknowledgments......................................29

115	7   References...........................................29

117	8   Authors' Addresses...................................30
118	INTERNET-DRAFT      HTTP Authentication            09/02/98

120	9   Full Copyright Statement.............................31
121	INTERNET-DRAFT      HTTP Authentication            09/02/98

123	1 Access Authentication

125	1.1 Reliance on the HTTP/1.1 Specification

127	This specification is a companion to the HTTP/1.1 specification [2]. It
128	uses the augmented BNF section 2.1 of that document, and relies on both
129	the non-terminals defined in that document and other aspects of the
130	HTTP/1.1 specification.

132	1.2 Access Authentication Framework

134	HTTP provides a simple challenge-response authentication mechanism that
135	MAY be used by a server to challenge a client request and by a client to
136	provide authentication information. It uses an extensible, case-
137	insensitive token to identify the authentication scheme, followed by a
138	comma-separated list of attribute-value pairs which carry the parameters
139	necessary for achieving authentication via that scheme.

141	       auth-scheme    = token
142	       auth-param     = token "=" ( token | quoted-string )

144	The 401 (Unauthorized) response message is used by an origin server to
145	challenge the authorization of a user agent. This response MUST include
146	a WWW-Authenticate header field containing at least one challenge
147	applicable to the requested resource. The 407 (Proxy Authentication
148	Required) response message is used by a proxy to challenge the
149	authorization of a client and MUST include a Proxy-Authenticate header
150	field containing at least one challenge applicable to the proxy for the
151	requested resource.

153	    challenge   = auth-scheme 1*SP 1#auth-param

155	Note: User agents will need to take special care in parsing the WWW-
156	Authenticate or Proxy-Authenticate header field value if it contains
157	more than one challenge, or if more than one WWW-Authenticate header
158	field is provided, since the contents of a challenge may itself contain
159	a comma-separated list of authentication parameters.

161	The authentication parameter realm is defined for all authentication
162	schemes:

164	    realm       = "realm" "=" realm-value
165	    realm-value = quoted-string

167	The realm directive (case-insensitive) is required for all
168	authentication schemes that issue a challenge. The realm value (case-
169	sensitive), in combination with the canonical root URL (the absoluteURI
170	for the server whose abs_path is empty; see section 5.1.2 of [2]) of the
171	server being accessed, defines the protection space. These realms allow
172	the protected resources on a server to be partitioned into a set of
173	protection spaces, each with its own authentication scheme and/or
174	authorization database. The realm value is a string, generally assigned
175	by the origin server, which may have additional semantics specific to
176	INTERNET-DRAFT      HTTP Authentication            09/02/98

178	the authentication scheme. Note that there may be multiple challenges
179	with the same auth-scheme but different realms.

181	A user agent that wishes to authenticate itself with an origin server--
182	usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
183	do so by including an Authorization header field with the request. A
184	client that wishes to authenticate itself with a proxy--usually, but not
185	necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
186	do so by including a Proxy-Authorization header field with the request.
187	Both the Authorization field value and the Proxy-Authorization field
188	value consist of credentials containing the authentication information
189	of the client for the realm of the resource being requested. The user
190	agent MUST choose to use one of the challenges with the strongest auth-
191	scheme it understands and request credentials from the user based upon
192	that challenge.

194	credentials = auth-scheme #auth-param

196	     Note that many browsers will only recognize Basic and will require
197	     that it be the first auth-scheme presented. Servers should only
198	     include Basic if it is minimally acceptable.

200	The protection space determines the domain over which credentials can be
201	automatically applied. If a prior request has been authorized, the same
202	credentials MAY be reused for all other requests within that protection
203	space for a period of time determined by the authentication scheme,
204	parameters, and/or user preference. Unless otherwise defined by the
205	authentication scheme, a single protection space cannot extend outside
206	the scope of its server.

208	If the origin server does not wish to accept the credentials sent with a
209	request, it SHOULD return a 401 (Unauthorized) response. The response
210	MUST include a WWW-Authenticate header field containing at least one
211	(possibly new) challenge applicable to the requested resource. If a
212	proxy does not accept the credentials sent with a request, it SHOULD
213	return a 407 (Proxy Authentication Required). The response MUST include
214	a Proxy-Authenticate header field containing a (possibly new) challenge
215	applicable to the proxy for the requested resource.

217	The HTTP protocol does not restrict applications to this simple
218	challenge-response mechanism for access authentication. Additional
219	mechanisms MAY be used, such as encryption at the transport level or via
220	message encapsulation, and with additional header fields specifying
221	authentication information. However, these additional mechanisms are not
222	defined by this specification.

224	Proxies MUST be completely transparent regarding user agent
225	authentication by origin servers. That is, they must forward the WWW-
226	Authenticate and Authorization headers untouched, and follow the rules
227	found in section 14.8 of [2]. Both the Proxy-Authenticate and the Proxy-
228	Authorization header fields are hop-by-hop headers (see section 13.5.1
229	of [2]).

231	INTERNET-DRAFT      HTTP Authentication            09/02/98

233	2 Basic Authentication Scheme

235	The "basic" authentication scheme is based on the model that the client
236	must authenticate itself with a user-ID and a password for each realm.
237	The realm value should be considered an opaque string which can only be
238	compared for equality with other realms on that server. The server will
239	service the request only if it can validate the user-ID and password for
240	the protection space of the Request-URI. There are no optional
241	authentication parameters.

243	For Basic, the framework above is utilized as follows:

245	      challenge   = "Basic" realm
246	      credentials = "Basic" basic-credentials

248	Upon receipt of an unauthorized request for a URI within the protection
249	space, the origin server MAY respond with a challenge like the
250	following:

252	       WWW-Authenticate: Basic realm="WallyWorld"

254	where "WallyWorld" is the string assigned by the server to identify the
255	protection space of the Request-URI. A proxy may respond with the same
256	challenge using the Proxy-Authenticate header field.

258	To receive authorization, the client sends the userid and password,
259	separated by a single colon (":") character, within a base64                                                               [7                                                                                                                              ] encoded
260	string in the credentials.

262	       basic-credentials = base64-user-pass
263	       base64-user-pass  = <base64 [4] encoding of user-pass,
264	                        except not limited to 76 char/line>
265	       user-pass   = userid ":" password
266	       userid      = *<TEXT excluding ":">
267	       password    = *TEXT

269	Userids might be case sensitive.

271	If the user agent wishes to send the userid "Aladdin" and password "open
272	sesame", it would use the following header field:

274	       Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

276	A client SHOULD assume that all paths at or deeper than the depth of the
277	last symbolic element in the path field of the Request-URI also are
278	within the protection space specified by the Basic realm value of the
279	current challenge. A client MAY preemptively send the corresponding
280	Authorization header with requests for resources in that space without
281	receipt of another challenge from the server. Similarly, when a client
282	sends a request to a proxy, it may reuse a userid and password in the
283	Proxy-Authorization header field without receiving another challenge
284	from the proxy server. See section 4 for security considerations
285	associated with Basic authentication.

287	INTERNET-DRAFT      HTTP Authentication            09/02/98

289	3 Digest Access Authentication Scheme

291	3.1 Introduction

293	3.1.1 Purpose

295	The protocol referred to as "HTTP/1.0" includes the specification for a
296	Basic Access Authentication scheme[1]. That scheme is not considered to
297	be a secure method of user authentication, as the user name and password
298	are passed over the network in an unencrypted form. This section
299	provides the specification for a scheme that does not send the password
300	in cleartext,  referred to as "Digest Access Authentication".

302	The Digest Access Authentication scheme is not intended to be a complete
303	answer to the need for security in the World Wide Web. This scheme
304	provides no encryption of message content. The intent is simply to
305	create an access authentication method that avoids the most serious
306	flaws of Basic authentication.

308	3.1.2 Overall Operation

310	Like Basic Access Authentication, the Digest scheme is based on a simple
311	challenge-response paradigm. The Digest scheme challenges using a nonce
312	value. A valid response contains a checksum (by default, the MD5
313	checksum) of the username, the password, the given nonce value, the HTTP
314	method, and the requested URI. In this way, the password is never sent
315	in the clear. Just as with the Basic scheme, the username and password
316	must be prearranged in some fashion not addressed by this document.

318	3.1.3 Representation of digest values

320	An optional header allows the server to specify the algorithm used to
321	create the checksum or digest. By default the MD5 algorithm is used and
322	that is the only algorithm described in this document.

324	For the purposes of this document, an MD5 digest of 128 bits is
325	represented as 32 ASCII printable characters. The bits in the 128 bit
326	digest are converted from most significant to least significant bit,
327	four bits at a time to their ASCII presentation as follows. Each four
328	bits is represented by its familiar hexadecimal notation from the
329	characters 0123456789abcdef. That is, binary 0000 gets represented by
330	the character '0', 0001, by '1', and so on up to the representation of
331	1111 as 'f'.

333	3.1.4 Limitations

335	The Digest authentication scheme described in this document suffers from
336	many known limitations. It is intended as a replacement for Basic
337	authentication and nothing more. It is a password-based system and (on
338	the server side) suffers from all the same problems of any password
339	system. In particular, no provision is made in this protocol for the
340	initial secure arrangement between user and server to establish the
341	user's password.

343	Users and implementors should be aware that this protocol is not as
344	secure as Kerberos, and not as secure as any client-side private-key
345	INTERNET-DRAFT      HTTP Authentication            09/02/98

347	scheme. Nevertheless it is better than nothing, better than what is
348	commonly used with telnet and ftp, and better than Basic authentication.

350	3.2 Specification of Digest Headers

352	The Digest Access Authentication scheme is conceptually similar to the
353	Basic scheme. The formats of the modified WWW-Authenticate header line
354	and the Authorization header line are specified below. In addition, a
355	new header, Authentication-Info, is specified.

357	3.2.1 The WWW-Authenticate Response Header

359	If a server receives a request for an access-protected object, and an
360	acceptable Authorization header is not sent, the server responds with a
361	"401 Unauthorized" status code, and a WWW-Authenticate header as per the
362	framework defined above, which for the digest scheme is utilized as
363	follows:

365	     challenge        =  "Digest" digest-challenge

367	     digest-challenge  = 1#( realm | [ domain ] | nonce |
368	                         [ opaque ] |[ stale ] | [ algorithm ] |
369	                         [ qop-options ] | [auth-param] )

371	     domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
372	     URI               = absoluteURI | abs_path
373	     nonce             = "nonce" "=" nonce-value
374	     nonce-value       = quoted-string
375	     opaque            = "opaque" "=" quoted-string
376	     stale             = "stale" "=" ( "true" | "false" )
377	     algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
378	                          token )
379	     qop-options       = "qop" "=" <"> 1#qop-value <">
380	     qop-value         = "auth" | "auth-int" | token

382	The meanings of the values of the directives used above are as follows:

384	realm
385	  A string to be displayed to users so they know which username and
386	  password to use. This string should contain at least the name of the
387	  host performing the authentication and might additionally indicate
388	  the collection of users who might have access. An example might be
389	  "registered_users@gotham.news.com".

391	domain
392	  A quoted, space-separated list of URIs, as specified in RFC XURI [7],
393	  that define the protection space.  If a URI is an abs_path, it is
394	  relative to the canonical root URL (see section 1.2 above) of the
395	  server being accessed. An absoluteURI in this list may refer to a
396	  different server than the one being accessed. The client can use this
397	  list to determine the set of URIs for which the same authentication
398	  information may be sent: any URI that has a URI in this list as a
399	  prefix (after both have been made absolute) may be assumed to be in
400	INTERNET-DRAFT      HTTP Authentication            09/02/98

402	  the same protection space. If this directive is omitted or its value
403	  is empty, the client should assume that the protection space consists
404	  of all URIs on the responding server. This directive is not
405	  meaningful in Proxy-Authenticate headers, for which the protection
406	  space is always the entire proxy; if present it should be ignored.

408	nonce
409	  A server-specified data string which should be uniquely generated
410	  each time a 401 response is made. It is recommended that this string
411	  be base64 or hexadecimal data. Specifically, since the string is
412	  passed in the header lines as a quoted string, the double-quote
413	  character is not allowed.

415	  The contents of the nonce are implementation dependent. The quality
416	  of the implementation depends on a good choice. A nonce might, for
417	  example, be constructed as the base 64 encoding of

419	      time-stamp H(time-stamp ":" ETag ":" private-key)

421	  where time-stamp is a server-generated time or other non-repeating
422	  value, ETag is the value of the HTTP ETag header associated with the
423	  requested entity, and private-key is data known only to the server.
424	  With a nonce of this form a server would recalculate the hash portion
425	  after receiving the client authentication header and reject the
426	  request if it did not match the nonce from that header or if the
427	  time-stamp value is not recent enough. In this way the server can
428	  limit the time of the nonce's validity. The inclusion of the ETag
429	  prevents a replay request for an updated version of the resource.
430	  (Note: including the IP address of the client in the nonce would
431	  appear to offer the server the ability to limit the reuse of the
432	  nonce to the same client that originally got it. However, that would
433	  break proxy farms, where requests from a single user often go through
434	  different proxies in the farm. Also, IP address spoofing is not that
435	  hard.)

437	  An implementation might choose not to accept a previously used nonce
438	  or a previously used digest, in order to protect against a replay
439	  attack. Or, an implementation might choose to use one-time nonces or
440	  digests for POST or PUT requests and a time-stamp for GET requests.
441	  For more details on the issues involved see section 4. of this
442	  document.

444	  The nonce is opaque to the client.

446	opaque
447	  A string of data, specified by the server, which should be returned
448	  by the client unchanged in the Authorization header of subsequent
449	  requests with URIs in the same protection space. It is recommended
450	  that this string be base64 or hexadecimal data.

452	stale
453	  A flag, indicating that the previous request from the client was
454	  rejected because the nonce value was stale. If stale is TRUE (case-
455	  insensitive), the client may wish to simply retry the request with a
456	  new encrypted response, without reprompting the user for a new
457	INTERNET-DRAFT      HTTP Authentication            09/02/98

459	  username and password. The server should only set stale to TRUE if it
460	  receives a request for which the nonce is invalid but with a valid
461	  digest for that nonce (indicating that the client knows the correct
462	  username/password). If stale is FALSE, or anything other than TRUE,
463	  or the stale directive is not present, the username and/or password
464	  are invalid, and new values must be obtained.

466	algorithm
467	  A string indicating a pair of algorithms used to produce the digest
468	  and a checksum. If this is not present it is assumed to be "MD5". If
469	  the algorithm is not understood, the challenge should be ignored (and
470	  a different one used, if there is more than one).

472	  In this document the string obtained by applying the digest algorithm
473	  to the data "data" with secret "secret" will be denoted by KD(secret,
474	  data), and the string obtained by applying the checksum algorithm to
475	  the data "data" will be denoted H(data). The notation unq(X) means
476	  the value of the quoted-string X without the surrounding quotes.

478	  For the "MD5" and "MD5-sess" algorithms

480	      H(data) = MD5(data)

482	  and

484	      KD(secret, data) = H(concat(secret, ":", data))

486	  i.e., the digest is the MD5 of the secret concatenated with a
487	  colon concatenated with the data. The "MD5-sess" algorithm is
488	  intended to allow efficient 3rd party authentication servers;
489	  for the difference in usage, see the description in section
490	  3.2.2.2.

492	qop-options
493	  This directive is optional, but is made so only for backward
494	  compatibility with RFC 2069 [6]; it SHOULD be used by all
495	  implementations compliant with this version of the Digest scheme.
496	  If present, it is a quoted string of one or more tokens indicating
497	  the "quality of protection" values supported by the server.  The
498	  value "auth" indicates authentication; the value "auth-int" indicates
499	  authentication with integrity protection; see the descriptions below
500	  for calculating the response directive value for the application of
501	  this choice. Unrecognized options MUST be ignored.

503	auth-param
504	  This directive allows for future extensions. Any unrecognized
505	  directive MUST be ignored.

507	3.2.2 The Authorization Request Header

509	The client is expected to retry the request, passing an
510	Authorization header line, which is defined according to the
511	framework above, utilized as follows.

513	    credentials      = "Digest" digest-response
514	INTERNET-DRAFT      HTTP Authentication            09/02/98

516	    digest-response  = 1#( username | realm | nonce | digest-uri
517	                    | response | [ algorithm ] | [cnonce] |
518	                    [opaque] | [message-qop] |
519	                        [nonce-count]  | [auth-param] )

521	    username         = "username" "=" username-value
522	    username-value   = quoted-string
523	    digest-uri       = "uri" "=" digest-uri-value
524	    digest-uri-value = request-uri   ; As specified by HTTP/1.1
525	    message-qop      = "qop" "=" qop-value
526	    cnonce           = "cnonce" "=" cnonce-value
527	    cnonce-value     = nonce-value
528	    nonce-count      = "nc" "=" nc-value
529	    nc-value         = 8LHEX
530	    response         = "response" "=" request-digest
531	    request-digest = <"> 32LHEX <">
532	    LHEX             =  "0" | "1" | "2" | "3" |
533	                        "4" | "5" | "6" | "7" |
534	                        "8" | "9" | "a" | "b" |
535	                        "c" | "d" | "e" | "f"

537	The values of the opaque and algorithm fields must be those
538	supplied in the WWW-Authenticate response header for the entity
539	being requested.

541	response
542	  A string of 32 hex digits computed as defined below, which proves
543	  that the user knows a password

545	username
546	  The user's name in the specified realm.

548	digest-uri
549	  The URI from Request-URI of the Request-Line; duplicated here because
550	  proxies are allowed to change the Request-Line in transit.

552	qop
553	  Indicates what "quality of protection" the client has applied to the
554	  message. If present, its value MUST be one of the alternatives the
555	  server indicated it supports in the WWW-Authenticate header. These
556	  values affect the computation of the request-digest. Note that this
557	  is a single token, not a quoted list of alternatives as in WWW-
558	  Authenticate.  This directive is optional in order to preserve
559	  backward compatibility with a minimal implementation of RFC 2069 [6],
560	  but SHOULD be used if the server indicated that qop is supported by
561	  providing a qop directive in the WWW-Authenticate header field.

563	cnonce
564	  This MUST be specified if a qop directive is sent (see above), and
565	  MUST NOT be specified if the server did not send a qop directive in
566	  the WWW-Authenticate header field.  The cnonce-value is an opaque
567	  quoted string value provided by the client and used by both client
568	INTERNET-DRAFT      HTTP Authentication            09/02/98

570	  and server to avoid chosen plaintext attacks, to provide mutual
571	  authentication, and to provide some message integrity protection.
572	  See the descriptions below of the calculation of the response-digest
573	  and request-digest values.

575	nonce-count
576	  This MUST be specified if a qop directive is sent (see above), and
577	  MUST NOT be specified if the server did not send a qop directive in
578	  the WWW-Authenticate header field.  The nc-value is the hexadecimal
579	  count of the number of requests (including the current request) that
580	  the client has sent with the nonce value in this request.  For
581	  example, in the first request sent in response to a given nonce
582	  value, the client sends "nc=00000001".  The purpose of this directive
583	  is to allow the server to detect request replays by maintaining its
584	  own copy of this count - if the same nc-value is seen twice, then the
585	  request is a replay.   See the description below of the construction
586	  of the request-digest value.

588	auth-param
589	  This directive allows for future extensions. Any unrecognized
590	  directive MUST be ignored.

592	If a directive or its value is improper, or required directives
593	are missing, the proper response is 400 Bad Request. If the
594	request-digest is invalid, then a login failure should be logged,
595	since repeated login failures from a single client may indicate
596	an attacker attempting to guess passwords.

598	The definition of request-digest above indicates the encoding for
599	its value. The following definitions show how the value is
600	computed.

602	3.2.2.1 Request-Digest

604	If the "qop" value is "auth" or "auth-int":

606	   request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
607	                                       ":" nc-value
608	                                       ":" unq(cnonce-value)
609	                                       ":" unq(qop-value)
610	                                       ":" H(A2)
611	                               ) <">

613	If the "qop" directive is not present (this construction is for
614	compatibility with RFC 2069):

616	   request-digest  =
617	              <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) >
618	<">

620	See below for the definitions for A1 and A2.

622	3.2.2.2 A1
623	INTERNET-DRAFT      HTTP Authentication            09/02/98

625	If the "algorithm" directive's value is "MD5" or is unspecified, then A1
626	is:

628	   A1       = unq(username-value) ":" unq(realm-value) ":" passwd

630	where

632	   passwd   = < user's password >

634	If the "algorithm" directive's value is "MD5-sess", then A1 is
635	calculated only once - on the first request by the client
636	following receipt of a WWW-Authenticate challenge from the
637	server.  It uses the server nonce from that challenge, and the
638	first client nonce value to construct A1 as follows:

640	   A1       = H( unq(username-value) ":" unq(realm-value)
641	                  ":" passwd )
642	                  ":" unq(nonce-value) ":" unq(cnonce-value)

644	This creates a 'session key' for the authentication of subsequent
645	requests and responses which is different for each "authentication
646	session", thus limiting the amount of material hashed with any one key.
647	(Note: see further discussion of the authentication session in section
648	3.3.) Because the server need only use the hash of the user credentials
649	in order to create the A1 value, this construction could be used in
650	conjunction with a third party authentication service so that the web
651	server would not need the actual password value.  The specification of
652	such a protocol is beyond the scope of this specification.

654	3.2.2.3 A2

656	If the "qop" directive's value is "auth" or is unspecified, then A2 is:

658	   A2       = Method ":" digest-uri-value

660	If the "qop" value is "auth-int", then A2 is:

662	   A2       = Method ":" digest-uri-value ":" H(entity-body)

664	3.2.2.4 Directive values and quoted-string

666	Note that the value of many of the directives, such as "username-
667	value", are defined as a "quoted-string". However, the "unq"
668	notation indicates that surrounding quotation marks are removed
669	in forming the string A1. Thus if the Authorization header
670	includes the fields

672	  username="Mufasa", realm=myhost@testrealm.com

674	and the user Mufasa has password "Circle Of Life" then H(A1)
675	would be H(Mufasa:myhost@testrealm.com:Circle Of Life) with no
676	quotation marks in the digested string.

678	INTERNET-DRAFT      HTTP Authentication            09/02/98

680	No white space is allowed in any of the strings to which the
681	digest function H() is applied unless that white space exists in
682	the quoted strings or entity body whose contents make up the
683	string to be digested. For example, the string A1 illustrated
684	above must be

686	     Mufasa:myhost@testrealm.com:Circle Of Life

688	with no white space on either side of the colons, but with the
689	white space between the words used in the password value.
690	Likewise, the other strings digested by H() must not have white
691	space on either side of the colons which delimit their fields
692	unless that white space was in the quoted strings or entity body
693	being digested.

695	Also note that if integrity protection is applied (qop=auth-int), the
696	H(entity-body) is the hash of the entity body, not the message body - it
697	is computed before any transfer encoding is applied by the sender and
698	after it has been removed by the recipient. Note that this includes
699	multipart boundaries and embedded headers in each part of any multipart
700	content-type.

702	3.2.2.5 Various considerations

704	The "Method" value is the HTTP request method as specified in
705	section 5.1.1 of [2]. The "request-uri" value is the Request-URI
706	from the request line as specified in section 5.1.2 of [2]. This
707	may be "*", an "absoluteURL" or an "abs_path" as specified in
708	section 5.1.2 of [2], but it MUST agree with the Request-URI. In
709	particular, it MUST be an "absoluteURL" if the Request-URI is an
710	"absoluteURL". The "cnonce-value" is an optional  client-chosen
711	value whose purpose is to foil chosen plaintext attacks.

713	The authenticating server must assure that the resource
714	designated by the "uri" directive is the same as the resource
715	specified in the Request-Line; if they are not, the server SHOULD
716	return a 400 Bad Request error. (Since this may be a symptom of
717	an attack, server implementers may want to consider logging such
718	errors.) The purpose of duplicating information from the request
719	URL in this field is to deal with the possibility that an
720	intermediate proxy may alter the client's Request-Line. This
721	altered (but presumably semantically equivalent) request would
722	not result in the same digest as that calculated by the client.

724	Implementers should be aware of how authenticated transactions
725	interact with shared caches. The HTTP/1.1 protocol specifies that
726	when a shared cache (see section 13.7 of [2]) has received a
727	request containing an Authorization header and a response from
728	relaying that request, it MUST NOT return that response as a
729	reply to any other request, unless one of two Cache-Control (see
730	section 14.9 of [2]) directives was present in the response. If
731	the original response included the "must-revalidate" Cache-
732	Control directive, the cache MAY use the entity of that response
733	in replying to a subsequent request, but MUST first revalidate it
734	with the origin server, using the request headers from the new
735	INTERNET-DRAFT      HTTP Authentication            09/02/98

737	request to allow the origin server to authenticate the new
738	request. Alternatively, if the original response included the
739	"public" Cache-Control directive, the response entity MAY be
740	returned in reply to any subsequent request.

742	3.2.3 The Authentication-Info Header

744	The Authentication-Info header is used by the server to
745	communicate some information regarding the successful
746	authentication in the response.

748	     AuthenticationInfo = "Authentication-Info" ":" auth-info
749	     auth-info          = 1#(nextnonce | [ message-qop ]
750	                            | [ response-auth ] | [ cnonce ]
751	                            | [nonce-count] )
752	     nextnonce          = "nextnonce" "=" nonce-value
753	     response-auth      = "rspauth" "=" response-digest
754	     response-digest    = <"> *LHEX <">

756	The value of the nextnonce directive is the nonce the server
757	wishes the client to use for a future authentication response.
758	The server may send the Authentication-Info header with a
759	nextnonce field as a means of implementing one-time or otherwise
760	changing  nonces. If the nextnonce field is present the client
761	SHOULD use it when constructing the Authorization header for its
762	next request. Failure of the client to do so may result in a
763	request to re-authenticate from the server with the "stale=TRUE".

765	  Server implementations should carefully consider the
766	  performance implications of the use of this mechanism;
767	  pipelined requests will not be possible if every response
768	  includes a nextnonce directive that must be used on the next
769	  request received by the server.  Consideration should be given
770	  to the performance vs. security tradeoffs of allowing an old
771	  nonce value to be used for a limited time to permit request
772	  pipelining.  Use of the nonce-count can retain most of the
773	  security advantages of a new server nonce without the
774	  deleterious affects on pipelining.

776	message-qop
777	   Indicates the "quality of protection" options applied to the
778	  response by the server.  The value "auth" indicates authentication;
779	  the value "auth-int" indicates authentication with integrity
780	  protection. The server SHOULD use the same value for the message-qop
781	  directive in the response as was sent by the client in the
782	  corresponding request.

784	The optional response digest in the "response-auth" directive
785	supports mutual authentication -- the server proves that it knows
786	the user's secret, and with qop=auth-int also provides limited
787	integrity protection of the response. The "response-digest" value
788	is calculated as for the "request-digest" in the Authorization
789	header, except that if "qop=auth" or is not specified in the
790	Authorization header for the request, A2 is
791	INTERNET-DRAFT      HTTP Authentication            09/02/98

793	   A2       = ":" digest-uri-value

795	and if "qop=auth-int", then A2 is

797	   A2       = ":" digest-uri-value ":" H(entity-body)

799	where "digest-uri-value" is the value of the "uri" directive on the
800	Authorization header in the request. The "cnonce-value" and "nc-value"
801	MUST be the ones for the client request to which this message is the
802	response. The "response-auth", "cnonce", and "nonce-count" directives
803	MUST BE present if "qop=auth" or "qop=auth-int" is specified.

805	The Authentication-Info header is allowed in the trailer of an
806	HTTP message transferred via chunked transfer-coding.

808	3.3 Digest Operation

810	Upon receiving the Authorization header, the server may check its
811	validity by looking up the password that corresponds to the
812	submitted username. Then, the server must perform the same digest
813	operation (e.g., MD5) performed by the client, and compare the
814	result to the given request-digest value.

816	Note that the HTTP server does not actually need to know the
817	user's cleartext password. As long as H(A1) is available to the
818	server, the validity of an Authorization header may be verified.

820	The client response to a WWW-Authenticate challenge for a
821	protection space starts an authentication session with that
822	protection space. The authentication session lasts until the
823	client receives another WWW-Authenticate challenge from any
824	server in the protection space. A client should remember the
825	username, password, nonce, nonce count and opaque values
826	associated with an authentication session to use to construct the
827	Authorization header in future requests within that protection
828	space. The Authorization header may be included preemptively;
829	doing so improves server efficiency and avoids extra round trips
830	for authentication challenges. The server may choose to accept
831	the old Authorization header information, even though the nonce
832	value included might not be fresh. Alternatively, the server may
833	return a 401 response with a new nonce value, causing the client
834	to retry the request; by specifying stale=TRUE with this
835	response, the server tells the client to retry with the new
836	nonce, but without prompting for a new username and password.

838	Because the client is required to return the value of the opaque
839	directive given to it by the server for the duration of a
840	session, the opaque data may be used to transport authentication
841	session state information. (Note that any such use can also be
842	accomplished more easily and safely by including the state in the
843	nonce.) For example, a server could be responsible for
844	authenticating content that actually sits on another server. It
845	would achieve this by having the first 401 response include a
846	domain directive whose value includes a URI on the second server,
847	and an opaque directive whose value contains the state
848	information. The client will retry the request, at which time the
849	INTERNET-DRAFT      HTTP Authentication            09/02/98

851	server might respond with a 301/302 redirection, pointing to the
852	URI on the second server. The client will follow the redirection,
853	and pass an Authorization header , including the <opaque> data.

855	As with the basic scheme, proxies must be completely transparent
856	in the Digest access authentication scheme. That is, they must
857	forward the WWW-Authenticate, Authentication-Info and
858	Authorization headers untouched. If a proxy wants to authenticate
859	a client before a request is forwarded to the server, it can be
860	done using the Proxy-Authenticate and Proxy-Authorization headers
861	described in section 3.6 below.

863	3.4 Security Protocol Negotiation

865	It is useful for a server to be able to know which security
866	schemes a client is capable of handling.

868	It is possible that a server may want to require Digest as its
869	authentication method, even if the server does not know that the
870	client supports it. A client is encouraged to fail gracefully if
871	the server specifies only authentication schemes it cannot
872	handle.

874	3.5 Example

876	The following example assumes that an access-protected document
877	is being requested from the server via a GET request. The URI of
878	the document is "http://www.nowhere.org/dir/index.html". Both
879	client and server know that the username for this document is
880	"Mufasa", and the password is "Circle Of Life" (with one space
881	between each of the three words).

883	The first time the client requests the document, no Authorization
884	header is sent, so the server responds with:

886	      HTTP/1.1 401 Unauthorized
887	      WWW-Authenticate: Digest
888	              realm="testrealm@host.com",
889	              qop="auth,auth-int",
890	              nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
891	              opaque="5ccc069c403ebaf9f0171e9517f40e41"

893	The client may prompt the user for the username and password,
894	after which it will respond with a new request, including the
895	following Authorization header:

897	      Authorization: Digest username="Mufasa",
898	              realm="testrealm@host.com",
899	              nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
900	              uri="/dir/index.html",
901	              qop=auth,
902	              nc=00000001,
903	              cnonce="0a4f113b",
904	              response="6629fae49393a05397450978507c4ef1",
905	              opaque="5ccc069c403ebaf9f0171e9517f40e41"
906	INTERNET-DRAFT      HTTP Authentication            09/02/98

908	3.6 Proxy-Authentication and Proxy-Authorization

910	The digest authentication scheme may also be used for
911	authenticating users to proxies, proxies to proxies, or proxies
912	to origin servers by use of the Proxy-Authenticate and Proxy-
913	Authorization headers. These headers are instances of the Proxy-
914	Authenticate and Proxy-Authorization headers specified in
915	sections 10.33 and 10.34 of the HTTP/1.1 specification [2] and
916	their behavior is subject to restrictions described there. The
917	transactions for proxy authentication are very similar to those
918	already described. Upon receiving a request which requires
919	authentication, the proxy/server must issue the "407 Proxy
920	Authentication Required" response with a "Proxy-Authenticate"
921	header.  The digest-challenge used in the Proxy-Authenticate
922	header is the same as that for the WWW-Authenticate header as
923	defined above in section 3.2.1.

925	The client/proxy must then re-issue the request with a Proxy-
926	Authorization header, with directives as specified for the Authorization
927	header in section 3.2.2 above.

929	On subsequent responses, the server sends Proxy-Authentication-Info with
930	directives the same as those for the Authentication-Info header field.

932	Note that in principle a client could be asked to authenticate
933	itself to both a proxy and an end-server, but never in the same
934	response.

936	4 Security Considerations

938	4.1 Authentication of Clients using Basic Authentication

940	The Basic authentication scheme is not a secure method of user
941	authentication, nor does it in any way protect the entity, which is
942	transmitted in cleartext across the physical network used as the
943	carrier. HTTP does not prevent additional authentication schemes and
944	encryption mechanisms from being employed to increase security or the
945	addition of enhancements (such as schemes to use one-time passwords) to
946	Basic authentication.

948	The most serious flaw in Basic authentication is that it results in the
949	essentially cleartext transmission of the user's password over the
950	physical network. It is this problem which Digest Authentication
951	attempts to address.

953	Because Basic authentication involves the cleartext transmission of
954	passwords it SHOULD NOT be used (without enhancements) to protect
955	sensitive or valuable information.

957	A common use of Basic authentication is for identification purposes --
958	requiring the user to provide a user name and password as a means of
959	identification, for example, for purposes of gathering accurate usage
960	statistics on a server. When used in this way it is tempting to think
961	that there is no danger in its use if illicit access to the protected
962	documents is not a major concern. This is only correct if the server
963	INTERNET-DRAFT      HTTP Authentication            09/02/98

965	issues both user name and password to the users and in particular does
966	not allow the user to choose his or her own password. The danger arises
967	because naive users frequently reuse a single password to avoid the task
968	of maintaining multiple passwords.

970	If a server permits users to select their own passwords, then the threat
971	is not only unauthorized access to documents on the server but also
972	unauthorized access to any other resources on other systems that the
973	user protects with the same password. Furthermore, in the server's
974	password database, many of the passwords may also be users' passwords
975	for other sites. The owner or administrator of such a system could
976	therefore expose all users of the system to the risk of unauthorized
977	access to all those sites if this information is not maintained in a
978	secure fashion.

980	Basic Authentication is also vulnerable to spoofing by counterfeit
981	servers. If a user can be led to believe that he is connecting to a host
982	containing information protected by Basic authentication when, in fact,
983	he is connecting to a hostile server or gateway, then the attacker can
984	request a password, store it for later use, and feign an error. This
985	type of attack is not possible with Digest Authentication. Server
986	implementers SHOULD guard against the possibility of this sort of
987	counterfeiting by gateways or CGI scripts. In particular it is very
988	dangerous for a server to simply turn over a connection to a gateway.
989	That gateway can then use the persistent connection mechanism to engage
990	in multiple transactions with the client while impersonating the
991	original server in a way that is not detectable by the client.

993	4.2 Authentication of Clients using Digest Authentication

995	Digest Authentication does not provide a strong authentication
996	mechanism, when compared to public key based mechanisms, for
997	example. However, it is significantly stronger than (e.g.) CRAM-
998	MD5, which has been proposed for use with LDAP [10], POP and IMAP
999	(see RFC 2195 [9]).  It is intended to replace the much weaker
1000	and even more dangerous Basic mechanism.

1002	Digest Authentication offers no confidentiality protection beyond
1003	protecting the actual password. All of the rest of the request
1004	and response are available to an eavesdropper.

1006	Digest Authentication offers only limited integrity protection
1007	for the messages in either direction. If  qop=auth-int mechanism
1008	is used, those parts of the message used in the calculation of
1009	the WWW-Authenticate and Authorization header field response
1010	directive values (see section 3.2 above) are  protected.  Most
1011	header fields and their values could be modified as a part of a
1012	man-in-the-middle attack.

1014	Many needs for secure HTTP transactions cannot be met by Digest
1015	Authentication. For those needs TLS or SHTTP are more appropriate
1016	protocols. In particular Digest authentication cannot be used for
1017	any transaction requiring confidentiality protection.
1018	Nevertheless many functions remain for which Digest
1019	authentication is both useful and appropriate.  Any service in
1020	INTERNET-DRAFT      HTTP Authentication            09/02/98

1022	present use that uses Basic should be switched to Digest as soon
1023	as practical.

1025	4.3 Limited Use Nonce Values

1027	The Digest scheme uses a server-specified nonce to seed the generation
1028	of the request-digest value (as specified in section 3.2.2.1 above).  As
1029	shown in the example nonce in section 3.2.1, the server is free to
1030	construct the nonce such that it may only be used from a particular
1031	client, for a particular resource, for a limited period of time or
1032	number of uses, or any other restrictions.  Doing so strengthens the
1033	protection provided against, for example, replay attacks (see 4.5).
1034	However, it should be noted that the method chosen for generating and
1035	checking the nonce also has performance and resource implications.  For
1036	example, a server may choose to allow each nonce value to be used only
1037	once by maintaining a record of whether or not each recently issued
1038	nonce has been returned and sending a next-nonce directive in the
1039	Authentication-Info header field of every response. This protects
1040	against even an immediate replay attack, but has a high cost checking
1041	nonce values, and perhaps more important will cause authentication
1042	failures for any pipelined requests (presumably returning a stale nonce
1043	indication).  Similarly, incorporating a request-specific element such
1044	as the Etag value for a resource limits the use of the nonce to that
1045	version of the resource and also defeats pipelining. Thus it may be
1046	useful to do so for methods with side effects but have unacceptable
1047	performance for those that do not.

1049	4.4 Comparison of Digest with Basic Authentication

1051	Both Digest and Basic Authentication are very much on the weak
1052	end of the security strength spectrum. But a comparison between
1053	the two points out the utility, even necessity, of replacing
1054	Basic by Digest.

1056	The greatest threat to the type of transactions for which these
1057	protocols are used is network snooping. This kind of transaction
1058	might involve, for example, online access to a database whose use
1059	is restricted to paying subscribers. With Basic authentication an
1060	eavesdropper can obtain the password of the user. This not only
1061	permits him to access anything in the database, but, often worse,
1062	will permit access to anything else the user protects with the
1063	same password.

1065	By contrast, with Digest Authentication the eavesdropper only gets
1066	access to the transaction in question and not to the user's password.
1067	The information gained by the eavesdropper would permit a replay attack,
1068	but only with a request for the same document, and even that may be
1069	limited by the server's choice of nonce.

1071	4.5 Replay Attacks

1073	A replay attack against Digest authentication would usually be
1074	pointless for a simple GET request since an eavesdropper would
1075	already have seen the only document he could obtain with a
1076	replay. This is because the URI of the requested document is
1077	digested in the client request and the server will only deliver
1078	INTERNET-DRAFT      HTTP Authentication            09/02/98

1080	that document. By contrast under Basic Authentication once the
1081	eavesdropper has the user's password, any document protected by
1082	that password is open to him.

1084	Thus, for some purposes, it is necessary to protect against
1085	replay attacks. A good Digest implementation can do this in
1086	various ways. The server created "nonce" value is implementation
1087	dependent, but if it contains a digest of the client IP, a time-
1088	stamp, the resource ETag, and a private server key (as
1089	recommended above) then a replay attack is not simple. An
1090	attacker must convince the server that the request is coming from
1091	a false IP address and must cause the server to deliver the
1092	document to an IP address different from the address to which it
1093	believes it is sending the document. An attack can only succeed
1094	in the period before the time-stamp expires. Digesting the client
1095	IP and time-stamp in the nonce permits an implementation which
1096	does not maintain state between transactions.

1098	For applications where no possibility of replay attack can be
1099	tolerated the server can use one-time nonce values which will not
1100	be honored for a second use. This requires the overhead of the
1101	server remembering which nonce values have been used until the
1102	nonce time-stamp (and hence the digest built with it) has
1103	expired, but it effectively protects against replay attacks.

1105	An implementation must give special attention to the possibility
1106	of replay attacks with POST and PUT requests. Unless the server
1107	employs one-time or otherwise limited-use nonces and/or insists
1108	on the use of the integrity protection of qop=auth-int, an
1109	attacker could replay valid credentials from a successful request
1110	with counterfeit form data or other message body. Even with the
1111	use of integrity protection most metadata in header fields is not
1112	protected. Proper nonce generation and checking provides some
1113	protection against replay of previously used valid credentials,
1114	but see 4.8.

1116	4.6 Weakness Created by Multiple Authentication Schemes

1118	An HTTP/1.1 server may return multiple challenges with a 401
1119	(Authenticate) response, and each challenge may use a different auth-
1120	scheme. A user agent MUST choose to use the strongest auth-scheme it
1121	understands and request credentials from the user based upon that
1122	challenge.

1124	     Note that many browsers will only recognize Basic and will require
1125	     that it be the first auth-scheme presented. Servers should only
1126	     include Basic if it is minimally acceptable.

1128	When the server offers choices of authentication schemes using the WWW-
1129	Authenticate header, the strength of the resulting authentication is
1130	only as good as that of the of the weakest of the authentication
1131	schemes. See section 4.8 below for discussion of particular attack
1132	scenarios that exploit multiple authentication schemes.

1134	INTERNET-DRAFT      HTTP Authentication            09/02/98

1136	4.7 Online dictionary attacks

1138	If the attacker can eavesdrop, then it can test any overheard
1139	nonce/response pairs against a list of common words. Such a list is
1140	usually much smaller than the total number of possible passwords. The
1141	cost of computing the response for each password on the list is paid
1142	once for each challenge.

1144	The server can mitigate this attack by not allowing users to select
1145	passwords that are in a dictionary.

1147	4.8 Man in the Middle

1149	Both Basic and Digest authentication are vulnerable to "man in the
1150	middle" (MITM) attacks, for example, from a hostile or compromised
1151	proxy. Clearly, this would present all the problems of eavesdropping.
1152	But it also offers some additional opportunities to the attacker.

1154	A possible man-in-the-middle attack would be to add a weak
1155	authentication scheme to the set of choices, hoping that the client will
1156	use one that exposes the user's credentials (e.g. password). For this
1157	reason, the client should always use the strongest scheme that it
1158	understands from the choices offered.

1160	An even better MITM attack would be to remove all offered choices,
1161	replacing them with a challenge that requests only Basic authentication,
1162	then uses the cleartext credentials from the Basic authentication to
1163	authenticate to the origin server using the stronger scheme it
1164	requested. A particularly insidious way to mount such a MITM attack
1165	would be to offer a "free" proxy caching service to gullible users.

1167	User agents should consider measures such as presenting a visual
1168	indication at the time of the credentials request of what authentication
1169	scheme is to be used, or remembering the strongest authentication scheme
1170	ever requested by a server and produce a warning message before using a
1171	weaker one. It might also be a good idea for the user agent to be
1172	configured to demand Digest authentication in general, or from specific
1173	sites.

1175	Or, a hostile proxy might spoof the client into making a request the
1176	attacker wanted rather than one the client wanted. Of course, this is
1177	still much harder than a comparable attack against Basic Authentication.

1179	4.9 Chosen plaintext attacks

1181	With Digest authentication, a MITM or a malicious server can arbitrarily
1182	choose the nonce that the client will use to compute the response. This
1183	is called a "chosen plaintext" attack. The ability to choose the nonce
1184	is known to make cryptanalysis much easier [8].

1186	However, no way to analyze the MD5 one-way function used by Digest using
1187	chosen plaintext is currently known.

1189	The countermeasure against this attack is for clients to be configured
1190	to require the use of the optional "cnonce" directive; this allows the
1191	INTERNET-DRAFT      HTTP Authentication            09/02/98

1193	client to vary the input to the hash in a way not chosen by the
1194	attacker.

1196	4.10 Precomputed dictionary attacks

1198	With Digest authentication, if the attacker can execute a chosen
1199	plaintext attack, the attacker can precompute the response for many
1200	common words to a nonce of its choice, and store a dictionary of
1201	(response, password) pairs. Such precomputation can often be done in
1202	parallel on many machines. It can then use the chosen plaintext attack
1203	to acquire a response corresponding to that challenge, and just look up
1204	the password in the dictionary. Even if most passwords are not in the
1205	dictionary, some might be. Since the attacker gets to pick the
1206	challenge, the cost of computing the response for each password on the
1207	list can be amortized over finding many passwords. A dictionary with 100
1208	million password/response pairs would take about 3.2 gigabytes of disk
1209	storage.

1211	The countermeasure against this attack is to for clients to be
1212	configured to require the use of the optional "cnonce" directive.

1214	4.11 Batch brute force attacks

1216	With Digest authentication, a MITM can execute a chosen plaintext
1217	attack, and can gather responses from many users to the same nonce. It
1218	can then find all the passwords within any subset of password space that
1219	would generate one of the nonce/response pairs in a single pass over
1220	that space. It also reduces the time to find the first password by a
1221	factor equal to the number of nonce/response pairs gathered. This search
1222	of the password space can often be done in parallel on many machines,
1223	and even a single machine can search large subsets of the password space
1224	very quickly -- reports exist of searching all passwords with six or
1225	fewer letters in a few hours.

1227	The countermeasure against this attack is to for clients to be
1228	configured to require the use of the optional "cnonce" directive.

1230	4.12 Spoofing by Counterfeit Servers

1232	Basic Authentication is vulnerable to spoofing by counterfeit servers.
1233	If a user can be led to believe that she is connecting to a host
1234	containing information protected by a password she knows, when in fact
1235	she is connecting to a hostile server, then the hostile server can
1236	request a password, store it away for later use, and feign an error.
1237	This type of attack is more difficult with Digest Authentication -- but
1238	the client must know to demand that Digest authentication be used,
1239	perhaps using some of the techniques described above to counter "man-in-
1240	the-middle" attacks.  Again, the user can be helped in detecting this
1241	attack by a visual indication of the authentication mechanism in use
1242	with appropriate guidance in interpreting the implications of each
1243	scheme.

1245	4.13 Storing passwords

1247	Digest authentication requires that the authenticating agent (usually
1248	the server) store some data derived from the user's name and password in
1249	INTERNET-DRAFT      HTTP Authentication            09/02/98

1251	a "password file" associated with a given realm. Normally this might
1252	contain pairs consisting of username and H(A1), where H(A1) is the
1253	digested value of the username, realm, and password as described above.

1255	The security implications of this are that if this password file is
1256	compromised, then an attacker gains immediate access to documents on the
1257	server using this realm. Unlike, say a standard UNIX password file, this
1258	information need not be decrypted in order to access documents in the
1259	server realm associated with this file. On the other hand, decryption,
1260	or more likely a brute force attack, would be necessary to obtain the
1261	user's password. This is the reason that the realm is part of the
1262	digested data stored in the password file. It means that if one Digest
1263	authentication password file is compromised, it does not automatically
1264	compromise others with the same username and password (though it does
1265	expose them to brute force attack).

1267	There are two important security consequences of this. First the
1268	password file must be protected as if it contained unencrypted
1269	passwords, because for the purpose of accessing documents in its realm,
1270	it effectively does.

1272	A second consequence of this is that the realm string should be unique
1273	among all realms which any single user is likely to use. In particular a
1274	realm string should include the name of the host doing the
1275	authentication. The inability of the client to authenticate the server
1276	is a weakness of Digest Authentication.

1278	4.14 Summary

1280	By modern cryptographic standards Digest Authentication is weak. But for
1281	a large range of purposes it is valuable as a replacement for Basic
1282	Authentication. It remedies some, but not all, weaknesses of Basic
1283	Authentication. Its strength may vary depending on the implementation.
1284	In particular the structure of the nonce (which is dependent on the
1285	server implementation) may affect the ease of mounting a replay attack.
1286	A range of server options is appropriate since, for example, some
1287	implementations may be willing to accept the server overhead of one-time
1288	nonces or digests to eliminate the possibility of replay. Others may
1289	satisfied with a nonce like the one recommended above restricted to a
1290	single IP address and a single ETag or with a limited lifetime.

1292	The bottom line is that *any* compliant implementation will be
1293	relatively weak by cryptographic standards, but *any* compliant
1294	implementation will be far superior to Basic Authentication.

1296	5 Sample implementation

1298	The following code implements the calculations of H(A1), H(A2), request-
1299	digest and response-digest, and a test program which computes the values
1300	used in the example of section 3.5. It uses the MD5 implementation from
1301	RFC 1321.

1303	File "digcalc.h":

1305	#define HASHLEN 16
1306	INTERNET-DRAFT      HTTP Authentication            09/02/98

1308	typedef char HASH[HASHLEN];
1309	#define HASHHEXLEN 32
1310	typedef char HASHHEX[HASHHEXLEN+1];
1311	#define IN
1312	#define OUT

1314	/* calculate H(A1) as per HTTP Digest spec */
1315	void DigestCalcHA1(
1316	    IN char * pszAlg,
1317	    IN char * pszUserName,
1318	    IN char * pszRealm,
1319	    IN char * pszPassword,
1320	    IN char * pszNonce,
1321	    IN char * pszCNonce,
1322	    OUT HASHHEX SessionKey
1323	    );

1325	/* calculate request-digest/response-digest as per HTTP Digest spec */
1326	void DigestCalcResponse(
1327	    IN HASHHEX HA1,           /* H(A1) */
1328	    IN char * pszNonce,       /* nonce from server */
1329	    IN char * pszNonceCount,  /* 8 hex digits */
1330	    IN char * pszCNonce,      /* client nonce */
1331	    IN char * pszQop,         /* qop-value: "", "auth", "auth-int" */
1332	    IN char * pszMethod,      /* method from the request */
1333	    IN char * pszDigestUri,   /* requested URL */
1334	    IN HASHHEX HEntity,       /* H(entity body) if qop="auth-int" */
1335	    OUT HASHHEX Response      /* request-digest or response-digest */
1336	    );

1338	File "digcalc.c":

1340	#include <global.h>
1341	#include <md5.h>
1342	#include <string.h>
1343	#include "digcalc.h"

1345	void CvtHex(
1346	    IN HASH Bin,
1347	    OUT HASHHEX Hex
1348	    )
1349	{
1350	    unsigned short i;
1351	    unsigned char j;

1353	    for (i = 0; i < HASHLEN; i++) {
1354	        j = (Bin[i] >> 4) & 0xf;
1355	        if (j <= 9)
1356	            Hex[i*2] = (j + '0');
1357	         else
1358	            Hex[i*2] = (j + 'a' - 10);
1359	        j = Bin[i] & 0xf;
1360	        if (j <= 9)
1361	            Hex[i*2+1] = (j + '0');
1362	         else
1363	            Hex[i*2+1] = (j + 'a' - 10);
1364	INTERNET-DRAFT      HTTP Authentication            09/02/98

1366	    };
1367	    Hex[HASHHEXLEN] = '\0';
1368	};

1370	/* calculate H(A1) as per spec */
1371	void DigestCalcHA1(
1372	    IN char * pszAlg,
1373	    IN char * pszUserName,
1374	    IN char * pszRealm,
1375	    IN char * pszPassword,
1376	    IN char * pszNonce,
1377	    IN char * pszCNonce,
1378	    OUT HASHHEX SessionKey
1379	    )
1380	{
1381	      MD5_CTX Md5Ctx;
1382	      HASH HA1;

1384	      MD5Init(&Md5Ctx);
1385	      MD5Update(&Md5Ctx, pszUserName, strlen(pszUserName));
1386	      MD5Update(&Md5Ctx, ":", 1);
1387	      MD5Update(&Md5Ctx, pszRealm, strlen(pszRealm));
1388	      MD5Update(&Md5Ctx, ":", 1);
1389	      MD5Update(&Md5Ctx, pszPassword, strlen(pszPassword));
1390	      MD5Final(HA1, &Md5Ctx);
1391	      if (stricmp(pszAlg, "md5-sess") == 0) {
1392	            MD5Init(&Md5Ctx);
1393	            MD5Update(&Md5Ctx, HA1, HASHLEN);
1394	            MD5Update(&Md5Ctx, ":", 1);
1395	            MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce));
1396	            MD5Update(&Md5Ctx, ":", 1);
1397	            MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce));
1398	            MD5Final(HA1, &Md5Ctx);
1399	      };
1400	      CvtHex(HA1, SessionKey);
1401	};

1403	/* calculate request-digest/response-digest as per HTTP Digest spec */
1404	void DigestCalcResponse(
1405	    IN HASHHEX HA1,           /* H(A1) */
1406	    IN char * pszNonce,       /* nonce from server */
1407	    IN char * pszNonceCount,  /* 8 hex digits */
1408	    IN char * pszCNonce,      /* client nonce */
1409	    IN char * pszQop,         /* qop-value: "", "auth", "auth-int" */
1410	    IN char * pszMethod,      /* method from the request */
1411	    IN char * pszDigestUri,   /* requested URL */
1412	    IN HASHHEX HEntity,       /* H(entity body) if qop="auth-int" */
1413	    OUT HASHHEX Response      /* request-digest or response-digest */
1414	    )
1415	{
1416	      MD5_CTX Md5Ctx;
1417	      HASH HA2;
1418	      HASH RespHash;
1419	       HASHHEX HA2Hex;

1421	      // calculate H(A2)
1422	INTERNET-DRAFT      HTTP Authentication            09/02/98

1424	      MD5Init(&Md5Ctx);
1425	      MD5Update(&Md5Ctx, pszMethod, strlen(pszMethod));
1426	      MD5Update(&Md5Ctx, ":", 1);
1427	      MD5Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri));
1428	      if (stricmp(pszQop, "auth-int") == 0) {
1429	            MD5Update(&Md5Ctx, ":", 1);
1430	            MD5Update(&Md5Ctx, HEntity, HASHHEXLEN);
1431	      };
1432	      MD5Final(HA2, &Md5Ctx);
1433	       CvtHex(HA2, HA2Hex);

1435	      // calculate response
1436	      MD5Init(&Md5Ctx);
1437	      MD5Update(&Md5Ctx, HA1, HASHHEXLEN);
1438	      MD5Update(&Md5Ctx, ":", 1);
1439	      MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce));
1440	      MD5Update(&Md5Ctx, ":", 1);
1441	      if (*pszQop) {
1442	          MD5Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount));
1443	          MD5Update(&Md5Ctx, ":", 1);
1444	          MD5Update(&Md5Ctx, pszCNonce, strlen(pszCNonce));
1445	          MD5Update(&Md5Ctx, ":", 1);
1446	          MD5Update(&Md5Ctx, pszQop, strlen(pszQop));
1447	          MD5Update(&Md5Ctx, ":", 1);
1448	      };
1449	      MD5Update(&Md5Ctx, HA2Hex, HASHHEXLEN);
1450	      MD5Final(RespHash, &Md5Ctx);
1451	      CvtHex(RespHash, Response);
1452	};

1454	File "digtest.c":

1456	#include <stdio.h>
1457	#include "digcalc.h"

1459	void main(int argc, char ** argv) {

1461	      char * pszNonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093";
1462	      char * pszCNonce = "0a4f113b";
1463	      char * pszUser = "Mufasa";
1464	      char * pszRealm = "testrealm@host.com";
1465	      char * pszPass = "Circle Of Life";
1466	      char * pszAlg = "md5";
1467	      char szNonceCount[9] = "00000001";
1468	      char * pszMethod = "GET";
1469	      char * pszQop = "auth";
1470	      char * pszURI = "/dir/index.html";
1471	      HASHHEX HA1;
1472	      HASHHEX HA2 = "";
1473	      HASHHEX Response;

1475	      DigestCalcHA1(pszAlg, pszUser, pszRealm, pszPass, pszNonce,
1476	pszCNonce, HA1);
1477	      DigestCalcResponse(HA1, pszNonce, szNonceCount, pszCNonce, pszQop,
1478	       pszMethod, pszURI, HA2, Response);
1479	INTERNET-DRAFT      HTTP Authentication            09/02/98

1481	      printf("Response = %s\n", Response);
1482	};
1483	6 Acknowledgments

1485	Eric W. Sink, of AbiSource, Inc., was one of the original authors before
1486	the specification underwent substantial revision.

1488	In addition to the authors, valuable discussion instrumental in creating
1489	this document has come from Peter J. Churchyard, Ned Freed, and David M.
1490	Kristol.

1492	Jim Gettys and Larry Masinter edited this document for update.

1494	7 References

1496	[1]  Berners-Lee, T.,  Fielding, R., and H. Frystyk, "Hypertext Transfer
1497	  Protocol -- HTTP/1.0", RFC 1945, May 1996.

1499	[2]  Fielding, R.,  Gettys, J., Mogul, J. C., Frysyk, H., Masinter, L.,
1500	  Leach, P., Berners-Lee, T., " Hypertext Transfer Protocol --
1501	  HTTP/1.1",  Work In Progress of the HTTP working group, July, 1998.

1503	[3]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
1504	  1992.

1506	[4]  Freed, N., and N. Borenstein. "Multipurpose Internet Mail
1507	  Extensions (MIME) Part One: Format of Internet Message Bodies." RFC
1508	  2045, Innosoft, First Virtual, November 1996.

1510	[5]  Dierks, T. and C. Allen "The TLS Protocol, Version 1.0," Work In
1511	  Progress of the TLS working group, November, 1997.

1513	[6]  Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen,
1514	  A., Sink, E., Stewart, L.,"An Extension to HTTP : Digest Access
1515	  Authentication." RFC 2069,  January, 1997.

1517	[7]  Berners Lee, T, Fielding, R., Masinter, L., "Uniform Resource
1518	  Identifiers (URI): Generic Syntax and Semantics," Work in Progress,
1519	  November, 1997.

1521	[8]  Kaliski, B.,Robshaw, M., "Message Authentication with MD5",
1522	CryptoBytes, Sping 1995, RSA Inc,
1523	(http://www.rsa.com/rsalabs/pubs/cryptobytes/spring95/md5.htm)

1525	[9]  Klensin, J.,Catoe, R., Krumviede, P., "IMAP/POP AUTHorize Extension
1526	for Simple Challenge/Response", September 1997.

1528	[10] Morgan, B., Alvestrand, H., Hodges, J., Wahl, M., "Authentication
1529	Methods for LDAP", 07/07/1998. Work in progress, <draft-ietf-ldapext-
1530	authmeth-02.txt>
1531	INTERNET-DRAFT      HTTP Authentication            09/02/98

1533	8 Authors' Addresses

1535	John Franks
1536	Professor of Mathematics
1537	Department of Mathematics
1538	Northwestern University
1539	Evanston, IL 60208-2730, USA

1541	EMail: john@math.nwu.edu

1543	Phillip M. Hallam-Baker
1544	Principal Consultant
1545	Verisign Inc.
1546	301 Edgewater Place
1547	Suite 210
1548	Wakefield MA 01880, USA

1550	EMail: pbaker@verisign.com

1552	Jeffery L. Hostetler
1553	Software Craftsman
1554	AbiSource, Inc.
1555	6 Dunlap Court
1556	Savoy, IL 61874

1558	EMail: jeff@AbiSource.com

1560	Scott D. Lawrence
1561	Agranat Systems, Inc.
1562	1345 Main St.
1563	Waltham, MA  02154, USA

1565	EMail: lawrence@agranat.com

1567	Paul J. Leach
1568	Microsoft Corporation
1569	1 Microsoft Way
1570	Redmond, WA 98052, USA

1572	EMail: paulle@microsoft.com

1574	Ari Luotonen
1575	Member of Technical Staff
1576	Netscape Communications Corporation
1577	501 East Middlefield Road
1578	Mountain View, CA 94043, USA

1580	EMail: luotonen@netscape.com

1582	Lawrence C. Stewart
1583	Open Market, Inc.
1584	215 First Street
1585	Cambridge, MA  02142, USA

1587	EMail: stewart@OpenMarket.com
1588	INTERNET-DRAFT      HTTP Authentication            09/02/98

1590	9 Full Copyright Statement

1592	Copyright (C) The Internet Society (1998). All Rights Reserved.

1594	This document and translations of it may be copied and furnished to
1595	others, and derivative works that comment on or otherwise explain it or
1596	assist in its implmentation may be prepared, copied, published and
1597	distributed, in whole or in part, without restriction of any kind,
1598	provided that the above copyright notice and this paragraph are included
1599	on all such copies and derivative works. However, this document itself
1600	may not be modified in any way, such as by removing the copyright notice
1601	or references to the Internet Society or other Internet organizations,
1602	except as needed for the purpose of developing Internet standards in
1603	which case the procedures for copyrights defined in the Internet
1604	Standards process must be followed, or as required to translate it into
1605	languages other than English.

1607	The limited permissions granted above are perpetual and will not be
1608	revoked by the Internet Society or its successors or assigns.

1610	This document and the information contained herein is provided on an "AS
1611	IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
1612	FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
1613	LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
1614	INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
1615	FITNESS FOR A PARTICULAR PURPOSE.