HTTP Digest Authentication Misconceptions
Purposes of the Client Nonce (cnonce)
- Prevent Chosen-Plaintext Attack
- Attacker spoofing server cannot choose all of the inputs to the authentication hash
- Incidentally protects against sloppy nonce choices by server
- Mutual Authentication
- The client can check the response digest to verify that the server also knew the shared secret