idnits 2.17.1 draft-ietf-http-authentication-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 313 instances of too long lines in the document, the longest one being 148 characters in excess of 72. ** The abstract seems to contain references ([5], [6]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 118: '... which MAY be used by a server t...' RFC 2119 keyword, line 127: '...user agent. This response MUST include...' RFC 2119 keyword, line 131: '... of a client and MUST include a Proxy-...' RFC 2119 keyword, line 164: '... credentials MAY be reused for all...' RFC 2119 keyword, line 171: '... request, it SHOULD return a 401 (...' (23 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 42 has weird spacing: '...on with some ...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: If the value of the digest-required parameter is "true", the response to this request MUST either include the "digest" field in its Authentication-Info header or the response should be an error message indicating the server is unable or unwilling to supply this field. In the latter case the requested entity MUST not be returned as part of the response. If the digest-required parameter is not specified in the request, then its value is "false". If the value of the digest-required parameter is "false", then the "digest" attribute is OPTIONAL for the response to this request. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 21, 1997) is 9653 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '3' is defined on line 1025, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1945 (ref. '1') -- Possible downref: Non-RFC (?) normative reference: ref. '2' ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '3') -- Possible downref: Non-RFC (?) normative reference: ref. '5' ** Obsolete normative reference: RFC 2069 (ref. '6') (Obsoleted by RFC 2617) -- Possible downref: Non-RFC (?) normative reference: ref. '7' Summary: 14 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group J. Franks, Northwestern University 3 INTERNET DRAFT P. Hallam-Baker, M.I.T. 4 J. Hostetler, Spyglass, Inc. 5 P. Leach, Microsoft Corporation 6 A. Luotonen, Netscape Communications Corporation 7 E. Sink, Spyglass, Inc. 8 L. Stewart, Open Market, Inc. 9 Expires: May 21, 1998 November 21, 1997 11 HTTP Authentication: Basic and Digest Access Authentication 13 Status of this Memo 15 This document is an Internet-Draft. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, and 17 its working groups. Note that other groups may also distribute working 18 documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or made obsolete by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference material 23 or to cite them other than as "work in progress". 25 To learn the current status of any Internet-Draft, please check the 26 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 27 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 28 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 29 ftp.isi.edu (US West Coast). 31 Distribution of this document is unlimited. Please send comments to the 32 HTTP working group at . Discussions of the 33 working group are archived at 34 . General discussions about 35 HTTP and the applications which use HTTP should take place on the mailing list. 38 Abstract 40 "HTTP/1.0" includes the specification for a Basic Access Authentication 41 scheme. This scheme is not considered to be a secure method of user 42 authentication (unless used in conjunction with some external secure 43 system such as SSL [5]), as the user name and password are passed over 44 the network as clear text. 46 This document also provides the specification for HTTP's authentication 47 on cryptographic hashes, referred to as "Digest Access Authentication". 48 It is therefore intended to also serve as a replacement for RFC 2069.[6] 50 Like Basic, Digest access authentication verifies that both parties to a 51 communication know a shared secret (a password); unlike Basic, this 52 verification can be done without sending the password in the clear, 53 which is Basic's biggest weakness. As with most other authentication 54 protocols, the greatest sources of risks are usually found not in the 55 core protocol itself but in policies and procedures surrounding its use. 57 Table of Contents 59 HTTP AUTHENTICATION: BASIC AND DIGEST ACCESS AUTHENTICATION1 61 Status of this Memo........................................1 63 Abstract...................................................1 65 Table of Contents..........................................3 67 1 Access Authentication .................................5 68 1.1 Reliance on the HTTP/1.1 Specification ............5 69 1.2 Access Authentication Framework ...................5 71 2 Basic Authentication Scheme ...........................6 73 3 Digest Access Authentication Scheme ...................7 74 3.1 Introduction ......................................7 75 3.1.1 Purpose .........................................7 76 3.1.2 Overall Operation ...............................8 77 3.1.3 Representation of digest values .................8 78 3.1.4 Limitations .....................................8 79 3.2 Specification of Digest Headers ...................9 80 3.2.1 The WWW-Authenticate Response Header ............9 81 3.2.2 The Authorization Request Header ...............11 82 3.2.3 The Authentication-Info Header .................14 83 3.3 Digest Operation .................................15 84 3.4 Security Protocol Negotiation ....................16 85 3.5 Example ..........................................16 86 3.6 Proxy-Authentication and Proxy-Authorization .....17 88 4 Security Considerations ..............................18 89 4.1 Authentication of Clients using Basic Authentication 18 90 4.2 Authentication of Clients using Digest Authentication 19 91 4.3 Offering a Choice of Authentication Schemes ......19 92 4.4 Comparison of Digest with Basic Authentication ...20 93 4.5 Replay Attacks ...................................20 94 4.6 Man in the Middle ................................21 95 4.7 Spoofing by Counterfeit Servers ..................22 96 4.8 Storing passwords ................................22 97 4.9 Summary ..........................................23 99 5 Acknowledgments ......................................23 101 6 References ...........................................23 103 7 Authors' Addresses ...................................24 105 Index.....................................................26 106 1 Access Authentication 108 1.1 Reliance on the HTTP/1.1 Specification 110 This specification is a companion two the HTTP/1.1 specification [2]. It 111 uses using the extended BNF section 2.1 of that document, and relies on 112 both the BNF defined in that document, and other aspects of the HTTP/1.1 113 specification. 115 1.2 Access Authentication Framework 117 HTTP provides a simple challenge-response authentication mechanism 118 which MAY be used by a server to challenge a client request and by a 119 client to provide authentication information. It uses an extensible, 120 case-insensitive token to identify the authentication scheme, followed 121 by a comma-separated list of attribute-value pairs which carry the 122 parameters necessary for achieving authentication via that scheme. 124 auth-scheme = token 125 auth-param = token "=" ( token | quoted-string ) 126 The 401 (Unauthorized) response message is used by an origin server to 127 challenge the authorization of a user agent. This response MUST include 128 a WWW-Authenticate header field containing at least one challenge 129 applicable to the requested resource. The 407 (Proxy Authentication 130 Required) response message is used by a proxy to challenge the 131 authorization of a client and MUST include a Proxy-Authenticate header 132 field containing a challenge applicable to the proxy for the requested 133 resource. 135 challenge = auth-scheme 1*SP 1#auth-param 136 The authentication parameter realm is defined for all authentication 137 schemes: 139 realm = "realm" "=" realm-value 140 realm-value = quoted-string 141 The realm attribute (case-insensitive) is required for all 142 authentication schemes which issue a challenge. The realm value (case- 143 sensitive), in combination with the canonical root URL (see section 144 5.1.2 of [2]) of the server being accessed, defines the protection 145 space. These realms allow the protected resources on a server to be 146 partitioned into a set of protection spaces, each with its own 147 authentication scheme and/or authorization database. The realm value is 148 a string, generally assigned by the origin server, which may have 149 additional semantics specific to the authentication scheme. 151 A user agent that wishes to authenticate itself with an origin server-- 152 usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY 153 do so by including an Authorization header field with the request. A 154 client that wishes to authenticate itself with a proxy--usually, but not 155 necessarily, after receiving a 407 (Proxy Authentication Required)--MAY 156 do so by including a Proxy-Authorization header field with the request. 157 Both the Authorization field value and the Proxy-Authorization field 158 value consists of credentials containing the authentication information 159 of the client for the realm of the resource being requested. 161 credentials = basic-credentials | auth-scheme #auth-param 162 The protection space determines the domain over which credentials can be 163 automatically applied. If a prior request has been authorized, the same 164 credentials MAY be reused for all other requests within that protection 165 space for a period of time determined by the authentication scheme, 166 parameters, and/or user preference. Unless otherwise defined by the 167 authentication scheme, a single protection space cannot extend outside 168 the scope of its server. 170 If the origin server does not wish to accept the credentials sent with a 171 request, it SHOULD return a 401 (Unauthorized) response. The response 172 MUST include a WWW-Authenticate header field containing at least one 173 (possibly new) challenge applicable to the requested resource. If a 174 proxy does not accept the credentials sent with a request, it SHOULD 175 return a 407 (Proxy Authentication Required). The response MUST include 176 a Proxy-Authenticate header field containing a (possibly new) challenge 177 applicable to the proxy for the requested resource. 179 The HTTP protocol does not restrict applications to this simple 180 challenge-response mechanism for access authentication. Additional 181 mechanisms MAY be used, such as encryption at the transport level or via 182 message encapsulation, and with additional header fields specifying 183 authentication information. However, these additional mechanisms are not 184 defined by this specification. 186 Proxies MUST be completely transparent regarding user agent 187 authentication by origin servers. That is, they MUST forward the WWW- 188 Authenticate and Authorization headers untouched, and follow the rules 189 found in section 14.8 of [2]. Both the Proxy-Authenticate and the Proxy- 190 Authorization header fields are hop-by-hop headers (see section 13.5.1 191 of [2]). 193 2 Basic Authentication Scheme 195 The "basic" authentication scheme is based on the model that the client 196 must authenticate itself with a user-ID and a password for each realm. 197 The realm value should be considered an opaque string which can only be 198 compared for equality with other realms on that server. The server will 199 service the request only if it can validate the user-ID and password for 200 the protection space of the Request-URI. There are no optional 201 authentication parameters. 203 Upon receipt of an unauthorized request for a URI within the protection 204 space, the origin server MAY respond with a challenge like the 205 following: 207 WWW-Authenticate: Basic realm="WallyWorld" 208 where "WallyWorld" is the string assigned by the server to identify the 209 protection space of the Request-URI. A proxy may respond with the same 210 challenge using the Proxy-Authenticate header field. 212 To receive authorization, the client sends the userid and password, 213 separated by a single colon (":") character, within a base64 [7] encoded 214 string in the credentials. 216 basic-credentials = "Basic" SP base64-user-pass 217 base64-user-pass = 219 user-pass = userid ":" password 220 userid = * 221 password = *TEXT 222 Userids might be case sensitive. 224 If the user agent wishes to send the userid "Aladdin" and password "open 225 sesame", it would use the following header field: 227 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 229 A client SHOULD assume that all paths at or deeper than the depth of the 230 last symbolic element in the path field of the Request-URI also are 231 within the protection space specified by the Basic realm value of the 232 current challenge. A client MAY send the corresponding Authorization 233 header with requests for resources in that space without receipt of 234 another challenge from the server. 236 If a client wishes to send the same userid and password to a proxy, it 237 would use the Proxy-Authorization header field. See section 4 for 238 security considerations associated with Basic authentication. 240 3 Digest Access Authentication Scheme 242 3.1 Introduction 244 3.1.1 Purpose 246 The protocol referred to as "HTTP/1.0" includes specification for a 247 Basic Access Authentication scheme[1]. This scheme is not considered to 248 be a secure method of user authentication, as the user name and password 249 are passed over the network in an unencrypted form. This document 250 provides specification for such a scheme, referred to as "Digest Access 251 Authentication". 253 The Digest Access Authentication scheme is not intended to be a complete 254 answer to the need for security in the World Wide Web. This scheme 255 provides no encryption of object content. The intent is simply to create 256 a weak access authentication method, which avoids the most serious flaws 257 of Basic authentication. 259 3.1.2 Overall Operation 261 Like Basic Access Authentication, the Digest scheme is based on a simple 262 challenge-response paradigm. The Digest scheme challenges using a nonce 263 value. A valid response contains a checksum (by default the MD5 264 checksum) of the username, the password, the given nonce value, the HTTP 265 method, and the requested URI. In this way, the password is never sent 266 in the clear. Just as with the Basic scheme, the username and password 267 must be prearranged in some fashion which is not addressed by this 268 document. 270 3.1.3 Representation of digest values 272 An optional header allows the server to specify the algorithm used to 273 create the checksum or digest. By default the MD5 algorithm is used and 274 that is the only algorithm described in this document. 276 For the purposes of this document, an MD5 digest of 128 bits is 277 represented as 32 ASCII printable characters. The bits in the 128 bit 278 digest are converted from most significant to least significant bit, 279 four bits at a time to their ASCII presentation as follows. Each four 280 bits is represented by its familiar hexadecimal notation from the 281 characters 0123456789abcdef. That is, binary 0000 gets represented by 282 the character '0', 0001, by '1', and so on up to the representation of 283 1111 as 'f'. 285 3.1.4 Limitations 287 The digest authentication scheme described in this document suffers from 288 many known limitations. It is intended as a replacement for basic 289 authentication and nothing more. It is a password-based system and (on 290 the server side) suffers from all the same problems of any password 291 system. In particular, no provision is made in this protocol for the 292 initial secure arrangement between user and server to establish the 293 user's password. 295 Users and implementors should be aware that this protocol is not as 296 secure as kerberos, and not as secure as any client-side private-key 297 scheme. Nevertheless it is better than nothing, better than what is 298 commonly used with telnet and ftp, and better than Basic authentication. 300 3.2 Specification of Digest Headers 302 The Digest Access Authentication scheme is conceptually similar to the 303 Basic scheme. The formats of the modified WWW-Authenticate header line 304 and the Authorization header line are specified below. In addition, a 305 new header, Authentication-Info, is specified. 307 3.2.1 The WWW-Authenticate Response Header 309 If a server receives a request for an access-protected object, and an 310 acceptable Authorization header is not sent, the server responds with a 311 "401 Unauthorized" status code, and a WWW-Authenticate header, which is 312 defined as follows: 314 WWW-Authenticate = "WWW-Authenticate" ":" "Digest" 315 digest-challenge 317 digest-challenge = 1#( realm | [ domain ] | nonce | 318 [ opaque ] |[ stale ] | [ algorithm ] | 319 [ digest-required ]) 321 domain = "domain" "=" <"> URI ( 1*SP URI ) <"> 322 nonce = "nonce" "=" nonce-value 323 nonce-value = quoted-string 324 opaque = "opaque" "=" quoted-string 325 stale = "stale" "=" ( "true" | "false" ) 326 algorithm = "algorithm" "=" ( "MD5" | token ) 327 digest-required = "digest-required" "=" ( "true" | "false" ) 329 The meanings of the values of the parameters used above are as follows: 331 realm 332 A string to be displayed to users so they know which username and 333 password to use. This string should contain at least the name of the 334 host performing the authentication and might additionally indicate 335 the collection of users who might have access. An example might be 336 "registered_users@gotham.news.com". 338 domain 339 A space-separated list of URIs, as specified in RFC XURI [7]. The 340 intent is that the client could use this information to know the set 341 of URIs for which the same authentication information should be sent. 342 The URIs in this list may exist on different servers. If this keyword 343 is omitted or empty, the client should assume that the domain 344 consists of all URIs on the responding server. 346 nonce 347 A server-specified data string which may be uniquely generated each 348 time a 401 response is made. It is recommended that this string be 349 base64 or hexadecimal data. Specifically, since the string is passed 350 in the header lines as a quoted string, the double-quote character is 351 not allowed. 353 The contents of the nonce are implementation dependent. The quality 354 of the implementation depends on a good choice. A recommended nonce 355 would include 357 H(client-IP ":" time-stamp ":" private-key) 358 Where client-IP is the dotted quad IP address of the client making 359 the request, time-stamp is a server-generated time value, private-key 360 is data known only to the server. With a nonce of this form a server 361 would normally recalculate the nonce after receiving the client 362 authentication header and reject the request if it did not match the 363 nonce from that header. In this way the server can limit the reuse of 364 a nonce to the IP address to which it was issued and limit the time 365 of the nonce's validity. Further discussion of the rationale for 366 nonce construction is in section 4.5 below. 368 An implementation might choose not to accept a previously used nonce 369 or a previously used digest to protect against a replay attack. Or, 370 an implementation might choose to use one-time nonces or digests for 371 POST or PUT requests and a time-stamp for GET requests. For more 372 details on the issues involved see section 4 of this document. 374 The nonce is opaque to the client. 376 opaque 377 A string of data, specified by the server, which should be returned 378 by the client unchanged. It is recommended that this string be base64 379 or hexadecimal data. 381 stale 382 A flag, indicating that the previous request from the client was 383 rejected because the nonce value was stale. If stale is TRUE (in 384 upper or lower case), the client may wish to simply retry the request 385 with a new encrypted response, without reprompting the user for a new 386 username and password. The server should only set stale to true if it 387 receives a request for which the nonce is invalid but with a valid 388 digest for that nonce (indicating that the client knows the correct 389 username/password). 391 algorithm 392 A string indicating a pair of algorithms used to produce the digest 393 and a checksum. If this not present it is assumed to be "MD5". In 394 this document the string obtained by applying the digest algorithm to 395 the data "data" with secret "secret" will be denoted by KD(secret, 396 data), and the string obtained by applying the checksum algorithm to 397 the data "data" will be denoted H(data). 398 For the "MD5" algorithm 400 H(data) = MD5(data) 401 and 403 KD(secret, data) = H(concat(secret, ":", data)) 404 i.e., the digest is the MD5 of the secret concatenated with a 405 colon concatenated with the data. 407 digest-required 408 If the value of the digest-required parameter is "true", then 409 any request with an entity-body (such as a PUT or a POST) for 410 the resource(s) to which this response applies MUST include 411 the "digest" attribute in its Authorization header. If the 412 request has no entity-body (such as a GET) then the digest- 413 required value can be ignored. If the digest-required 414 parameter is not specified, then its value is "false". If the 415 value of the digest-required parameter is "false", then the 416 "digest" attribute is OPTIONAL on requests for the resource(s) 417 to which the response applies. 419 3.2.2 The Authorization Request Header 421 The client is expected to retry the request, passing an 422 Authorization header line, which is defined as follows. 424 Authorization = "Authorization" ":" "Digest" 425 digest-response 427 Digest-response = 1#( username | realm | nonce | digest-uri | 428 response | [ digest ] | [ algorithm ] | 429 opaque ) 431 username = "username" "=" username-value 432 username-value = quoted-string 433 digest-uri = "uri" "=" digest-uri-value 434 digest-uri-value = request-uri ; As specified by HTTP/1.1 435 response = "response" "=" response-digest 436 digest = "digest" "=" entity-digest 438 response-digest = <"> *LHEX <"> 439 entity-digest = <"> *LHEX <"> 440 LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" 441 |"8" | "9" | "a" | "b" | "c" | "d" | "e" | "f" 443 The values of the opaque and algorithm fields must be those 444 supplied in the WWW-Authenticate response header for the entity 445 being requested. 447 If the value of the digest-required parameter is "true", the 448 response to this request MUST either include the "digest" field 449 in its Authentication-Info header or the response should be an 450 error message indicating the server is unable or unwilling to 451 supply this field. In the latter case the requested entity MUST 452 not be returned as part of the response. If the digest-required 453 parameter is not specified in the request, then its value is 454 "false". If the value of the digest-required parameter is 455 "false", then the "digest" attribute is OPTIONAL for the response 456 to this request. 458 The definitions of response-digest and entity-digest above 459 indicate the encoding for their values. The following definitions 460 show how the value is computed: 462 response-digest = 463 <"> < KD ( H(A1), unquoted nonce-value ":" H(A2) ) > <"> 465 A1 = unquoted username-value ":" unquoted realm-value 466 ":" password 467 password = < user's password > 468 A2 = Method ":" digest-uri-value 470 The "username-value" field is a "quoted-string". However, the 471 surrounding quotation marks are removed in forming the string A1. 472 Thus if the Authorization header includes the fields 474 username="Mufasa", realm="myhost@testrealm.com" 475 and the user Mufasa has password "CircleOfLife" then H(A1) would 476 be H(Mufasa:myhost@testrealm.com:CircleOfLife) with no quotation 477 marks in the digested string. 479 No white space is allowed in any of the strings to which the 480 digest function H() is applied unless that white space exists in 481 the quoted strings or entity body whose contents make up the 482 string to be digested. For example, the string A1 illustrated 483 above must be Mufasa:myhost@testrealm.com:CircleOfLife with no 484 white space on either side of the colons. Likewise, the other 485 strings digested by H() must not have white space on either side 486 of the colons which delimit their fields unless that white space 487 was in the quoted strings or entity body being digested. 489 "Method" is the HTTP request method as specified in section 5.1 490 of [2]. The "request-uri" value is the Request-URI from the 491 request line as specified in section 5.1 of [2]. This may be "*", 492 an "absoluteURL" or an "abs_path" as specified in section 5.1.2 493 of [2], but it MUST agree with the Request-URI. In particular, it 494 MUST be an "absoluteURL" if the Request-URI is an "absoluteURL". 496 The authenticating server must assure that the document 497 designated by the "uri" parameter is the same as the document 498 served. The purpose of duplicating information from the request 499 URL in this field is to deal with the possibility that an 500 intermediate proxy may alter the client's request. This altered 501 (but presumably semantically equivalent) request would not result 502 in the same digest as that calculated by the client. 504 The optional "digest" field contains a digest of the entity body 505 and some of the associated entity headers. This digest can be 506 useful in both request and response transactions. In a request it 507 can insure the integrity of POST data or data being PUT to the 508 server. In a response it insures the integrity of the served 509 document. The value of the "digest" field is an , 510 which is defined as follows. 512 entity-digest<"> KD (H(A1), unquoted nonce-value ":" Method ":" 513 date ":" entity-info ":" H(entity-body)) <"> 514 ; format is <"> *LHEX <"> 516 date = rfc1123-date ; see section 3.3.1 of[2] 517 entity-info = 518 H( 519 digest-uri-value ":" 520 media-type ":" ; Content-Type, see section 3.7 of [2] 521 *DIGIT ":" ; Content-Length, see 10.12 of [2] 522 content-coding ":" ; Content-Encoding, see 3.5 of [2] 523 last-modified ":" ; last modified date, see 10.25 of [2] 524 expires ; expiration date; see 10.19 of [2] 525 ) 527 last-modified = rfc1123-date ; see section 3.3.1 of [2] 528 expires = rfc1123-date 530 The entity-info elements incorporate the values of the URI used 531 to request the entity as well as the associated entity headers 532 Content-Type, Content-Length, Content-Encoding, Last-Modified, 533 and Expires. These headers are all end-to-end headers (see 534 section 13.5.1 of [2]) which must not be modified by proxy 535 caches. The "entity-body" is as specified by section 10.13 of [2] 536 or RFC 1864. The content length MUST always be included. The 537 HTTP/1.1 spec requires that content length is well defined in all 538 messages, whether or not there is a Content-Length header. 540 Note that not all entities will have an associated URI or all of 541 these headers. For example, an entity which is the data of a POST 542 request will typically not have a digest-uri-value or Last- 543 modified or Expires headers. If an entity does not have a digest- 544 uri-value or a header corresponding to one of the entity-info 545 fields, then that field is left empty in the computation of 546 entity-info. All the colons specified above are present, however. 547 For example the value of the entity-info associated with POST 548 data which has content-type "text/plain", no content-encoding and 549 a length of 255 bytes would be H(:text/plain:255:::). Similarly a 550 request may not have a "Date" header. In this case the date field 551 of the entity-digest should be empty. 553 In the entity-info and entity-digest computations, except for the 554 blank after the comma in "rfc1123-date", there must be no white 555 space between "words" and "separators", and exactly one blank 556 between "words" (see section 2.2 of [2]). 558 Implementers should be aware of how authenticated transactions 559 interact with proxy caches. The HTTP/1.1 protocol specifies that 560 when a shared cache (see section 13.10 of [2]) has received a 561 request containing an Authorization header and a response from 562 relaying that request, it MUST NOT return that response as a 563 reply to any other request, unless one of two Cache-Control (see 564 section 14.9 of [2]) directives was present in the response. If 565 the original response included the "must-revalidate" Cache- 566 Control directive, the cache MAY use the entity of that response 567 in replying to a subsequent request, but MUST first revalidate it 568 with the origin server, using the request headers from the new 569 request to allow the origin server to authenticate the new 570 request. Alternatively, if the original response included the 571 "public" Cache-Control directive, the response entity MAY be 572 returned in reply to any subsequent request. 574 3.2.3 The Authentication-Info Header 576 When authentication succeeds, the server may optionally provide a 577 Authentication-Info header indicating that the server wants to 578 communicate some information regarding the successful 579 authentication (such as an entity digest or a new nonce to be 580 used for the next transaction). It has two fields, digest and 581 nextnonce. Both are optional. 583 AuthenticationInfo = "Authentication-Info" ":" 584 1#( digest | nextnonce ) 585 nextnonce = "nextnonce" "=" nonce-value 586 digest = "digest" "=" entity-digest 588 The optional digest allows the client to verify that the body of 589 the response has not been changed en-route. The server would 590 probably only send this when it has the document and can compute 591 it. The server would probably not bother generating this header 592 for CGI output. The value of the "digest" is an 593 which is computed as described above. 595 The value of the nextnonce parameter is the nonce the server 596 wishes the client to use for the next authentication response. 597 Note that either field is optional. In particular the server may 598 send the Authentication-Info header with only the nextnonce field 599 as a means of implementing one-time nonces. If the nextnonce 600 field is present the client is strongly encouraged to use it for 601 the next WWW- Authenticate header. Failure of the client to do so 602 may result in a request to re-authenticate from the server with 603 the "stale=TRUE ". 605 The Authentication-Info header is allowed in the trailer of an 606 HTTP message transferred via chunked transfer-coding. 608 3.3 Digest Operation 610 Upon receiving the Authorization header, the server may check its 611 validity by looking up its known password which corresponds to 612 the submitted username. Then, the server must perform the same 613 MD5 operation performed by the client, and compare the result to 614 the given response-digest. 616 Note that the HTTP server does not actually need to know the 617 user's clear text password. As long as H(A1) is available to the 618 server, the validity of an Authorization header may be verified. 620 A client may remember the username, password and nonce values, so 621 that future requests within the specified may include 622 the Authorization header preemptively. The server may choose to 623 accept the old Authorization header information, even though the 624 nonce value included might not be fresh. Alternatively, the 625 server could return a 401 response with a new nonce value, 626 causing the client to retry the request. By specifying stale=TRUE 627 with this response, the server hints to the client that the 628 request should be retried with the new nonce, without reprompting 629 the user for a new username and password. 631 The opaque data is useful for transporting state information 632 around. For example, a server could be responsible for 633 authenticating content which actually sits on another server. The 634 first 401 response would include a domain field which includes 635 the URI on the second server, and the opaque field for specifying 636 state information. The client will retry the request, at which 637 time the server may respond with a 301/302 redirection, pointing 638 to the URI on the second server. The client will follow the 639 redirection, and pass the same Authorization header, including 640 the data which the second server may require. 642 As with the basic scheme, proxies must be completely transparent 643 in the Digest access authentication scheme. That is, they must 644 forward the WWW-Authenticate, Authentication-Info and 645 Authorization headers untouched. If a proxy wants to authenticate 646 a client before a request is forwarded to the server, it can be 647 done using the Proxy-Authenticate and Proxy-Authorization headers 648 described in section 3.6 below. 650 3.4 Security Protocol Negotiation 652 It is useful for a server to be able to know which security 653 schemes a client is capable of handling. 655 It is possible that a server may want to require Digest as its 656 authentication method, even if the server does not know that the 657 client supports it. A client is encouraged to fail gracefully if 658 the server specifies any authentication scheme it cannot handle. 660 3.5 Example 662 The following example assumes that an access-protected document 663 is being requested from the server. The URI of the document is 664 "http://www.nowhere.org/dir/index.html". Both client and server 665 know that the username for this document is "Mufasa", and the 666 password is "CircleOfLife". 668 The first time the client requests the document, no Authorization 669 header is sent, so the server responds with: 671 HTTP/1.1 401 Unauthorized 672 WWW-Authenticate: Digest 673 realm="testrealm@host.com", 674 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", 675 opaque="5ccc069c403ebaf9f0171e9517f40e41" 677 The client may prompt the user for the username and password, 678 after which it will respond with a new request, including the 679 following Authorization header: 681 Authorization: Digest username="Mufasa", 682 realm="testrealm@host.com", 683 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", 684 uri="/dir/index.html", 685 response="1949323746fe6a43ef61f9606e7febea", 686 opaque="5ccc069c403ebaf9f0171e9517f40e41" 688 3.6 Proxy-Authentication and Proxy-Authorization 690 The digest authentication scheme may also be used for 691 authenticating users to proxies, proxies to proxies, or proxies 692 to end servers by use of the Proxy-Authenticate and Proxy- 693 Authorization headers. These headers are instances of the general 694 Proxy-Authenticate and Proxy-Authorization headers specified in 695 sections 10.30 and 10.31 of the HTTP/1.1 specification [2] and 696 their behavior is subject to restrictions described there. The 697 transactions for proxy authentication are very similar to those 698 already described. Upon receiving a request which requires 699 authentication, the proxy/server must issue the "HTTP/1.1 401 700 Unauthorized" header followed by a "Proxy-Authenticate" header of 701 the form 703 Proxy-Authentication = "Proxy-Authentication" ":" 704 "Digest" 705 digest-challenge 707 where digest-challenge is as defined above in section 2.1. The 708 client/proxy must then re-issue the request with a Proxy- 709 Authenticate header of the form 711 Proxy-Authorization = "Proxy-Authorization" ":" 712 digest-response 714 where digest-response is as defined above in section 2.1. When 715 authentication succeeds, the server may optionally provide a 716 Proxy-Authentication-info header of the form 718 Proxy-Authentication-Info = "Proxy-Authentication-Info" ":" 719 nextnonce 721 where nextnonce has the same semantics as the nextnonce field in 722 the Authentication-Info header described above in section 3.2.3. 724 Note that in principle a client could be asked to authenticate 725 itself to both a proxy and an end-server. It might receive an 726 "HTTP/1.1 401 Unauthorized" header followed by both a WWW- 727 Authenticate and a Proxy-Authenticate header. However, it can 728 never receive more than one Proxy-Authenticate header since such 729 headers are only for immediate connections and must not be passed 730 on by proxies. If the client receives both headers, it must 731 respond with both the Authorization and Proxy-Authorization 732 headers as described above, which will likely involve different 733 combinations of username, password, nonce, etc. 735 4 Security Considerations 737 4.1 Authentication of Clients using Basic Authentication 739 The Basic authentication scheme is not a secure method of user 740 authentication, nor does it in any way protect the entity, which is 741 transmitted in clear text across the physical network used as the 742 carrier. HTTP does not prevent additional authentication schemes and 743 encryption mechanisms from being employed to increase security or the 744 addition of enhancements (such as schemes to use one-time passwords) to 745 Basic authentication. 747 The most serious flaw in Basic authentication is that it results in the 748 essentially clear text transmission of the user's password over the 749 physical network. It is this problem which Digest Authentication 750 attempts to address. 752 Because Basic authentication involves the clear text transmission of 753 passwords it SHOULD never be used (without enhancements) to protect 754 sensitive or valuable information. 756 A common use of Basic authentication is for identification purposes -- 757 requiring the user to provide a user name and password as a means of 758 identification, for example, for purposes of gathering accurate usage 759 statistics on a server. When used in this way it is tempting to think 760 that there is no danger in its use if illicit access to the protected 761 documents is not a major concern. This is only correct if the server 762 issues both user name and password to the users and in particular does 763 not allow the user to choose his or her own password. The danger arises 764 because naive users frequently reuse a single password to avoid the task 765 of maintaining multiple passwords. 767 If a server permits users to select their own passwords, then the threat 768 is not only illicit access to documents on the server but also illicit 769 access to the accounts of all users who have chosen to use their account 770 password. If users are allowed to choose their own password that also 771 means the server must maintain files containing the (presumably 772 encrypted) passwords. Many of these may be the account passwords of 773 users perhaps at distant sites. The owner or administrator of such a 774 system could conceivably incur liability if this information is not 775 maintained in a secure fashion. 777 Basic Authentication is also vulnerable to spoofing by counterfeit 778 servers. If a user can be led to believe that he is connecting to a host 779 containing information protected by basic authentication when in fact he 780 is connecting to a hostile server or gateway then the attacker can 781 request a password, store it for later use, and feign an error. This 782 type of attack is not possible with Digest Authentication. Server 783 implementers SHOULD guard against the possibility of this sort of 784 counterfeiting by gateways or CGI scripts. In particular it is very 785 dangerous for a server to simply turn over a connection to a gateway. 786 That gateway can then use the persistent connection mechanism to engage 787 in multiple transactions with the client while impersonating the 788 original server in a way that is not detectable by the client. 790 4.2 Authentication of Clients using Digest Authentication 792 Digest Authentication does not provide a strong authentication 793 mechanism. That is not its intent. It is intended solely to 794 replace a much weaker and even more dangerous authentication 795 mechanism: Basic Authentication. An important design constraint 796 is that the new authentication scheme be free of patent and 797 export restrictions. 799 Most needs for secure HTTP transactions cannot be met by Digest 800 Authentication. For those needs SSL or SHTTP are more appropriate 801 protocols. In particular digest authentication cannot be used for 802 any transaction requiring encrypted content. Nevertheless many 803 functions remain for which digest authentication is both useful 804 and appropriate. 806 4.3 Offering a Choice of Authentication Schemes 808 An HTTP/1.1 server may return multiple challenges with a 401 809 (Authenticate) response, and each challenge may use a different scheme. 810 The order of the challenges returned to the user agent is in the order 811 that the server would prefer they be chosen. The server should order its 812 challenges with the "most secure" authentication scheme first. A user 813 agent should choose as the challenge to be made to the user the first 814 one that the user agent understands. 816 When the server offers choices of authentication schemes using the WWW- 817 Authenticate header, the "security" of the authentication is only as 818 good as the security of the weakest of the authentication schemes. A 819 malicious user could capture the set of challenges and try to 820 authenticate him/herself using the weakest of the authentication 821 schemes. Thus, the ordering serves more to protect the user's 822 credentials than the server's information. 824 A possible man-in-the-middle (MITM) attack would be to add a weak 825 authentication scheme to the set of choices, hoping that the client will 826 use one that exposes the user's credentials (e.g. password). For this 827 reason, the client should always use the strongest scheme that it 828 understands from the choices accepted. 830 An even better MITM attack would be to remove all offered choices, and 831 to insert a challenge that requests Basic authentication. For this 832 reason, user agents that are concerned about this kind of attack could 833 remember the strongest authentication scheme ever requested by a server 834 and produce a warning message that requires user confirmation before 835 using a weaker one. A particularly insidious way to mount such a MITM 836 attack would be to offer a "free" proxy caching service to gullible 837 users. 839 4.4 Comparison of Digest with Basic Authentication 841 Both Digest and Basic Authentication are very much on the weak 842 end of the security strength spectrum. But a comparison between 843 the two points out the utility, even necessity, of replacing 844 Basic by Digest. 846 The greatest threat to the type of transactions for which these 847 protocols are used is network snooping. This kind of transaction 848 might involve, for example, online access to a database whose use 849 is restricted to paying subscribers. With Basic authentication an 850 eavesdropper can obtain the password of the user. This not only 851 permits him to access anything in the database, but, often worse, 852 will permit access to anything else the user protects with the 853 same password. 855 By contrast, with Digest Authentication the eavesdropper only 856 gets access to the transaction in question and not to the user's 857 password. The information gained by the eavesdropper would permit 858 a replay attack, but only with a request for the same document, 859 and even that might be difficult. 861 4.5 Replay Attacks 863 A replay attack against digest authentication would usually be 864 pointless for a simple GET request since an eavesdropper would 865 already have seen the only document he could obtain with a 866 replay. This is because the URI of the requested document is 867 digested in the client response and the server will only deliver 868 that document. By contrast under Basic Authentication once the 869 eavesdropper has the user's password, any document protected by 870 that password is open to him. A GET request containing form data 871 could only be "replayed" with the identical data. However, this 872 could be problematic if it caused a CGI script to take some 873 action on the server. 875 Thus, for some purposes, it is necessary to protect against 876 replay attacks. A good digest implementation can do this in 877 various ways. The server created "nonce" value is implementation 878 dependent, but if it contains a digest of the client IP, a time- 879 stamp, and a private server key (as recommended above) then a 880 replay attack is not simple. An attacker must convince the server 881 that the request is coming from a false IP address and must cause 882 the server to deliver the document to an IP address different 883 from the address to which it believes it is sending the document. 884 An attack can only succeed in the period before the time-stamp 885 expires. Digesting the client IP and time-stamp in the nonce 886 permits an implementation which does not maintain state between 887 transactions. 889 For applications where no possibility of replay attack can be 890 tolerated the server can use one-time response digests which will 891 not be honored for a second use. This requires the overhead of 892 the server remembering which digests have been used until the 893 nonce time-stamp (and hence the digest built with it) has 894 expired, but it effectively protects against replay attacks. 895 Instead of maintaining a list of the values of used digests, a 896 server would hash these values and require re-authentication 897 whenever a hash collision occurs. 899 An implementation must give special attention to the possibility 900 of replay attacks with POST and PUT requests. A successful replay 901 attack could result in counterfeit form data or a counterfeit 902 version of a PUT file. The use of one-time digests or one-time 903 nonces is recommended. It is also recommended that the optional 904 be implemented for use with POST or PUT requests to 905 assure the integrity of the posted data. Alternatively, a server 906 may choose to allow digest authentication only with GET requests. 907 Responsible server implementors will document the risks described 908 here as they pertain to a given implementation. 910 4.6 Man in the Middle 912 Both Basic and Digest authentication are vulnerable to "man in the 913 middle" attacks, for example, from a hostile or compromised proxy. 914 Clearly, this would present all the problems of eavesdropping. But it 915 could also offer some additional threats. 917 A simple but effective attack would be to replace the Digest challenge 918 with a Basic challenge, to spoof the client into revealing their 919 password. To protect against this attack, clients should remember if a 920 site has used Digest authentication in the past, and warn the user if 921 the site stops using it. It might also be a good idea for the browser to 922 be configured to demand Digest authentication in general, or from 923 specific sites. 925 Or, a hostile proxy might spoof the client into making a request the 926 attacker wanted rather than one the client wanted. Of course, this is 927 still much harder than a comparable attack against Basic Authentication. 929 There are several attacks on the "digest" field in the Authentication- 930 Info header. A simple but effective attack is just to remove the field, 931 so that the client will not be able to use it to detect modifications to 932 the response entity. Sensitive applications may wish to allow 933 configuration to require that the digest field be present when 934 appropriate. More subtly, the attacker can alter any of the entity- 935 headers not incorporated in the computation of the digest. The attacker 936 can alter most of the request headers in the client's request, and can 937 alter any response header in the origin-server's reply, except those 938 headers whose values are incorporated into the "digest" field. 940 Alteration of Accept* or User-Agent request headers can only result in a 941 denial of service attack that returns content in an unacceptable media 942 type or language. Alteration of cache control headers also can only 943 result in denial of service. Alteration of Host will be detected, if the 944 full URL is in the response-digest. Alteration of Referer or From is not 945 important, as these are only hints. 947 4.7 Spoofing by Counterfeit Servers 949 Basic Authentication is vulnerable to spoofing by counterfeit servers. 950 If a user can be led to believe that she is connecting to a host 951 containing information protected by a password she knows, when in fact 952 she is connecting to a hostile server, then the hostile server can 953 request a password, store it away for later use, and feign an error. 954 This type of attack is more difficult with Digest Authentication -- but 955 the client must know to demand that Digest authentication be used, 956 perhaps using some of the techniques described above to counter "man-in- 957 the-middle" attacks. 959 4.8 Storing passwords 961 Digest authentication requires that the authenticating agent (usually 962 the server) store some data derived from the user's name and password in 963 a "password file" associated with a given realm. Normally this might 964 contain pairs consisting of username and H(A1), where H(A1) is the 965 digested value of the username, realm, and password as described above. 967 The security implications of this are that if this password file is 968 compromised, then an attacker gains immediate access to documents on the 969 server using this realm. Unlike, say a standard UNIX password file, this 970 information need not be decrypted in order to access documents in the 971 server realm associated with this file. On the other hand, decryption, 972 or more likely a brute force attack, would be necessary to obtain the 973 user's password. This is the reason that the realm is part of the 974 digested data stored in the password file. It means that if one digest 975 authentication password file is compromised, it does not automatically 976 compromise others with the same username and password (though it does 977 expose them to brute force attack). 979 There are two important security consequences of this. First the 980 password file must be protected as if it contained unencrypted 981 passwords, because for the purpose of accessing documents in its realm, 982 it effectively does. 984 A second consequence of this is that the realm string should be unique 985 among all realms which any single user is likely to use. In particular a 986 realm string should include the name of the host doing the 987 authentication. The inability of the client to authenticate the server 988 is a weakness of Digest Authentication. 990 4.9 Summary 992 By modern cryptographic standards Digest Authentication is weak. But for 993 a large range of purposes it is valuable as a replacement for Basic 994 Authentication. It remedies many, but not all, weaknesses of Basic 995 Authentication. Its strength may vary depending on the implementation. 996 In particular the structure of the nonce (which is dependent on the 997 server implementation) may affect the ease of mounting a replay attack. 998 A range of server options is appropriate since, for example, some 999 implementations may be willing to accept the server overhead of one-time 1000 nonces or digests to eliminate the possibility of replay. Others may 1001 satisfied with a nonce like the one recommended above restricted to a 1002 single IP address and with a limited lifetime. 1004 The bottom line is that *any* compliant implementation will be 1005 relatively weak by cryptographic standards, but *any* compliant 1006 implementation will be far superior to Basic Authentication. 1008 5 Acknowledgments 1010 In addition to the authors, valuable discussion instrumental in creating 1011 this document has come from Peter J. Churchyard, Ned Freed, and David M. 1012 Kristol. 1014 Jim Gettys edited this document for its update. 1016 6 References 1018 [1] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext 1019 Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996. 1021 [2] Fielding, R., Gettys, J., Mogul, J. C., Frysyk, H, Berners-Lee, 1022 T., " Hypertext Transfer Protocol -- HTTP/1.1", Work In Progress of 1023 the HTTP working group, November 1997. 1025 [3] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1026 1992. 1028 [4] Freed, N., and N. Borenstein. "Multipurpose Internet Mail 1029 Extensions (MIME) Part One: Format of Internet Message Bodies." RFC 1030 2045, Innosoft, First Virtual, November 1996. 1032 [5] Dierks, T. and C. Allen "The TLS Protocol, Version 1.0," Work In 1033 Progress of the TLS working group, November, 1997. 1035 [6] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., 1036 Luotonen, A., Sink, E., Stewart, L.," An Extension to HTTP : Digest 1037 Access Authentication." RFC 2069, January, 1997. 1039 [7] Berners Lee, T, Fielding, R., Masinter, L., "Uniform Resource 1040 Identifiers (URI): Generic Syntax and Semantics ," Work in Progress, 1041 November, 1997. 1043 7 Authors' Addresses 1045 John Franks 1046 Professor of Mathematics 1047 Department of Mathematics 1048 Northwestern University 1049 Evanston, IL 60208-2730, USA 1051 EMail: john@math.nwu.edu 1053 Phillip M. Hallam-Baker 1054 Principal Consultant 1055 Verisign Inc. 1056 One Alewife Center 1057 Cambridge, MA 02138, USA 1059 EMail: pbaker@verisign.com 1061 Jeffery L. Hostetler 1062 Senior Software Engineer 1063 Spyglass, Inc. 1064 3200 Farber Drive 1065 Champaign, IL 61821, USA 1067 EMail: jeff@spyglass.com 1068 Paul J. Leach 1069 Microsoft Corporation 1070 1 Microsoft Way 1071 Redmond, WA 98052, USA 1073 EMail: paulle@microsoft.com 1075 Ari Luotonen 1076 Member of Technical Staff 1077 Netscape Communications Corporation 1078 501 East Middlefield Road 1079 Mountain View, CA 94043, USA 1081 EMail: luotonen@netscape.com 1083 Eric W. Sink 1084 Senior Software Engineer 1085 Spyglass, Inc. 1086 3200 Farber Drive 1087 Champaign, IL 61821, USA 1089 EMail: eric@spyglass.com 1091 Lawrence C. Stewart 1092 Open Market, Inc. 1093 215 First Street 1094 Cambridge, MA 02142, USA 1096 EMail: stewart@OpenMarket.com 1097 Index 1099 While some care was taken producing this index, there is no guarantee 1100 that all occurrences of an index term have been entered into the index. 1101 Italics indicate the definition of a term; bold face is used for the 1102 definition of a header. 1104 credentials, 6 1106 301, 16 1107 13 1108 digest, 11, 12, 13, 14, 15, 21, 1109 22 1110 Digest Access Authentication, 2, 1111 401, 5, 6, 9, 10, 15, 16, 17, 19 8, 9 1112 407, 5, 6 Digest Authentication, 18, 19 1113 411, 6 digest-challenge, 9, 17 1114 digest-required, 9, 11, 12 1115 digest-response, 11, 17 1116 digest-uri, 11 1117 absoluteURL, 13 digest-uri-value, 11, 12, 13, 14 1118 Accept*, 22 domain, 9, 10, 15, 16 1119 Access Authentication, 5 1120 algorithm, 8, 9, 10, 11, 12 1121 AuthenticationInfo, 302, 16 date, 14 1122 Authentication-Info, 9, 12, 14, entity-body, 13, 14 1123 15, 16, 17, 22 entity-digest, 11, 12, 13, 14, 15 1124 Authorization, 5, 6, 7, 9, 11, entity-info, 13, 14 1125 12, 14, 15, 16, 17, 18 expires, 13 1126 auth-param, 5 Expires, 13, 14 1127 auth-scheme, 5 1129 From, 22 1130 base64-user-pass, 7 1131 Basic Access Authentication, 1, 1132 7, 8 1133 Basic authentication, 7, 18, 20 GET, 10, 11, 20, 21 1134 Basic Authentication Scheme, 6 1135 basic-credentials, 7 1137 last-modified, 13 1138 Last-Modified, 13 1139 Cache-Control, 14 LHEX, 11, 12, 13 1140 challenge, 5 1141 content-coding, 13 1142 Content-Encoding, 13 1143 Content-Length, 13 MD5, 8, 9, 10, 11, 15, 24 1144 Content-Type, 13 media-type, 13 1145 Method, 12, 13 response, 11, 17 1146 MIME, 24 response-digest, 11, 12, 15, 22 1147 must-revalidate, 14 rfc1123-date, 13, 14 1149 , 17 Security Considerations 1150 nonce, 8, 9, 10, 11, 14, 15, 16, basic scheme is insecure, 18 1151 17, 18, 21, 23 comparison of digest with basic, 1152 nonce-value, 9, 12, 13, 15 20 1153 man in the middle attacks, 21 1154 offering multiple authentication 1155 schemes, 19 1156 opaque, 9, 10, 11, 12, 15, 16, 17 replay attacks against digest nextnonce, 14, 15 1157 authentication, 20 1158 spoofing by counterfeit servers, 1159 22 1160 password, 1, 7, 8, 9, 10, 12, 15, digest weak, 23 1161 16, 18, 20, 21, 22, 23 separators, 14 1162 POST, 10, 11, 13, 14, 21 stale, 9, 10, 15 1163 Proxy-Authenticate, 5, 6, 7, 16, 1164 17 1165 Proxy-Authentication, 17 1166 Proxy-Authentication-Info, 17 token, 5 1167 Proxy-Authorization, 6 true, 12 1168 public, 14 1169 PUT, 10, 11, 13, 21 1171 User-Agent, 22 1172 userid, 7 1173 quoted-string, 5, 9, 11, 12 username, 8, 9, 10, 11, 12, 15, 1174 16, 18, 22, 23 1175 username-value, 11, 12 1176 user-pass, 7 1177 realm, 5, 9, 11, 12, 16, 17, 22, 1178 23 1179 realm-value, 5, 12 1180 Referer, 22 words, 14 1181 request-uri, 11, 13 WWW-Authenticate, 5, 6, 7, 9, 12, 1182 Request-URI, 6, 7, 13 16, 17, 19