HTTP Digest Authentication Misconceptions

• Purposes of the Client Nonce (cnonce)

  • Prevent Chosen-Plaintext Attack
    • Attacker spoofing server cannot choose all of the inputs to the authentication hash
    • Incidentally protects against sloppy nonce choices by server
  • Mutual Authentication
    • The client can check the response digest to verify that the server also knew the shared secret

Previous slide

Next slide

Back to first slide

View graphic version