idnits 2.17.1 draft-ietf-http-digest-aa-rev-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 2 longer pages, the longest (page 1) being 100 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 18 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 4 instances of too long lines in the document, the longest one being 12 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 301: '...ce to which this response applies MUST...' RFC 2119 keyword, line 307: '... request MUST not be honored....' RFC 2119 keyword, line 340: '... this request MUST either include th...' RFC 2119 keyword, line 343: '... requested entity MUST not be returned...' RFC 2119 keyword, line 383: '... but it MUST agree with the Request-...' (4 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 558 has weird spacing: '... Digest rea...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: digest-required A flag, indicating that any request with an entity-body (such as a PUT or a POST) for the resource to which this response applies MUST include the 'digest' attribute in its Authorization header. If the request has no entity-body (such as a GET) then the digest-required field can be ignored. If a request with an entity-body is made without the digest field in response to an authentication header with the digest-required field, then this request is an error and the request MUST not be honored. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The digest-required field is a flag, indicating that the response to this request MUST either include the 'digest' field in its Authentication-Info header or the response should be an error message indicating the server is unable or unwilling to supply this field. In the latter case the requested entity MUST not be returned as part of the response. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 30, 1977) is 17065 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '3' is defined on line 813, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1945 (ref. '1') ** Obsolete normative reference: RFC 2068 (ref. '2') (Obsoleted by RFC 2616) ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '3') Summary: 13 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 HTTP Working Group J. Franks 2 INTERNET-DRAFT Northwestern University 3 P. Hallam-Baker 4 M.I.T. 5 J. Hostetler 6 Spyglass, Inc. 7 P. Leach 8 Microsoft Corporation 9 A. Luotonen 10 Netscape Communications Corporation 11 E. Sink 12 Spyglass, Inc. 13 L. Stewart 14 Open Market, Inc. 15 July 30, 1977 17 An Extension to HTTP : Digest Access Authentication 19 Status of this Memo 21 This document is an Internet-Draft. Internet-Drafts are working 22 documents of the Internet Engineering Task Force (IETF), its 23 areas, and its working groups. Note that other groups may also 24 distribute working documents as Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six 27 months and may be updated, replaced, or obsoleted by other 28 documents at any time. It is inappropriate to use Internet- 29 Drafts as reference material or to cite them other than as 30 ``work in progress.'' 32 To learn the current status of any Internet-Draft, please check 33 the ``1id-abstracts.txt'' listing contained in the Internet- 34 Drafts Shadow Directories on ftp.is.co.za (Africa), 35 nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), 36 ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). 38 Distribution of this document is unlimited. Please send comments 39 to the HTTP working group at . 40 Discussions of the working group are archived at 41 . General discussions 42 about HTTP and the applications which use HTTP should take place 43 on the mailing list. 45 Abstract 47 The protocol referred to as "HTTP/1.0" includes the specification for 48 a Basic Access Authentication scheme. This scheme is not considered 49 to be a secure method of user authentication, as the user name and 50 password are passed over the network as clear text. A specification 51 for a different authentication scheme is needed to address this 52 severe limitation. This document provides specification for such a 53 scheme, referred to as "Digest Access Authentication". Like Basic, 54 Digest access authentication verifies that both parties to a 55 communication know a shared secret (a password); unlike Basic, this 56 verification can be done without sending the password in the clear, 57 which is Basic's biggest weakness. As with most other authentication 58 protocols, the greatest sources of risks are usually found not in the 59 core protocol itself but in policies and procedures surrounding its 60 use. 62 This is the final draft of any document under this name. Digest and 63 Basic Authentication from the HTTP/1.1 specification will be combined 64 and issued as a document titled "Authentication in HTTP". Our intent 65 is that RFC 2068 and RFC 2069 will go to draft standard as a pair of 66 documents, but with all authentication schemes (Digest and Basic) 67 documented together in a single place. This transition has not yet 68 taken place. 70 Changes since RFC 2069 was issued: 72 Inclusion of a missing ')' in the BNF production for "response-digest" in section 73 2.1.2, the replacement of "digest-opaque" by "opaque" in the 74 production for "digest-challenge" in the same section, and the 75 replacement the value of the "response" field in the example in 76 section 2.4. This last change was done to make the this value be an 77 accurate computation of the digest of the example data. 79 An optional "digest-required" field was added to both the 80 "WWW-Authenticate" response header (section 2.1.1) and the 81 "Authorization" request header (section 2.1.2). (Issue 82 DIGEST-REQUIRED. 84 The PROXY-LENGTH, PROXY-MAXAGE issues have NOT yet been incorporated. 86 Table of Contents 88 INTRODUCTION...................................................... 2 89 1.1 PURPOSE .................................................... 2 90 1.2 OVERALL OPERATION .......................................... 3 91 1.3 REPRESENTATION OF DIGEST VALUES ............................ 3 92 1.4 LIMITATIONS ................................................ 3 93 2. DIGEST ACCESS AUTHENTICATION SCHEME............................ 3 94 2.1 SPECIFICATION OF DIGEST HEADERS ............................. 3 95 2.1.1 THE WWW-AUTHENTICATE RESPONSE HEADER ..................... 4 96 2.1.2 THE AUTHORIZATION REQUEST HEADER ......................... 6 97 2.1.3 THE AUTHENTICATION-INFO HEADER ........................... 9 98 2.2 DIGEST OPERATION ............................................ 10 99 2.3 SECURITY PROTOCOL NEGOTIATION ............................... 10 100 2.4 EXAMPLE ..................................................... 11 101 2.5 PROXY-AUTHENTICATION AND PROXY-AUTHORIZATION ................ 11 102 3. SECURITY CONSIDERATIONS........................................ 12 103 3.1 COMPARISON WITH BASIC AUTHENTICATION ........................ 13 104 3.2 REPLAY ATTACKS .............................................. 13 105 3.3 MAN IN THE MIDDLE ........................................... 14 106 3.4 SPOOFING BY COUNTERFEIT SERVERS ............................. 15 107 3.5 STORING PASSWORDS ........................................... 15 108 3.6 SUMMARY ..................................................... 16 109 4. ACKNOWLEDGMENTS............................................... 16 110 5. REFERENCES..................................................... 16 111 6. AUTHORS' ADDRESSES............................................. 17 113 Introduction 115 1.1 Purpose 117 The protocol referred to as "HTTP/1.0" includes specification for a 118 Basic Access Authentication scheme[1]. This scheme is not considered 119 to be a secure method of user authentication, as the user name and 120 password are passed over the network in an unencrypted form. A 121 specification for a new authentication scheme is needed for future 122 versions of the HTTP protocol. This document provides specification 123 for such a scheme, referred to as "Digest Access Authentication". 125 The Digest Access Authentication scheme is not intended to be a 126 complete answer to the need for security in the World Wide Web. This 127 scheme provides no encryption of object content. The intent is simply 128 to create a weak access authentication method which avoids the most 129 serious flaws of Basic authentication. 131 It is proposed that this access authentication scheme be included in 132 the proposed HTTP/1.1 specification. 134 1.2 Overall Operation 136 Like Basic Access Authentication, the Digest scheme is based on a 137 simple challenge-response paradigm. The Digest scheme challenges 138 using a nonce value. A valid response contains a checksum (by 139 default the MD5 checksum) of the username, the password, the given 140 nonce value, the HTTP method, and the requested URI. In this way, 141 the password is never sent in the clear. Just as with the Basic 142 scheme, the username and password must be prearranged in some fashion 143 which is not addressed by this document. 145 1.3 Representation of digest values 147 An optional header allows the server to specify the algorithm used to 148 create the checksum or digest. By default the MD5 algorithm is used 149 and that is the only algorithm described in this document. 151 For the purposes of this document, an MD5 digest of 128 bits is 152 represented as 32 ASCII printable characters. The bits in the 128 153 bit digest are converted from most significant to least significant 154 bit, four bits at a time to their ASCII presentation as follows. 155 Each four bits is represented by its familiar hexadecimal notation 156 from the characters 0123456789abcdef. That is, binary 0000 gets 157 represented by the character '0', 0001, by '1', and so on up to the 158 representation of 1111 as 'f'. 160 1.4 Limitations 162 The digest authentication scheme described in this document suffers 163 from many known limitations. It is intended as a replacement for 164 basic authentication and nothing more. It is a password-based system 165 and (on the server side) suffers from all the same problems of any 166 password system. In particular, no provision is made in this 167 protocol for the initial secure arrangement between user and server 168 to establish the user's password. 170 Users and implementors should be aware that this protocol is not as 171 secure as kerberos, and not as secure as any client-side private-key 172 scheme. Nevertheless it is better than nothing, better than what is 173 commonly used with telnet and ftp, and better than Basic 174 authentication. 176 2. Digest Access Authentication Scheme 178 2.1 Specification of Digest Headers 180 The Digest Access Authentication scheme is conceptually similar to 181 the Basic scheme. The formats of the modified WWW-Authenticate 182 header line and the Authorization header line are specified below, 183 using the extended BNF defined in the HTTP/1.1 specification, section 184 2.1. In addition, a new header, Authentication-info, is specified. 186 2.1.1 The WWW-Authenticate Response Header 188 If a server receives a request for an access-protected object, and an 189 acceptable Authorization header is not sent, the server responds with 190 a "401 Unauthorized" status code, and a WWW-Authenticate header, 191 which is defined as follows: 193 WWW-Authenticate = "WWW-Authenticate" ":" "Digest" 194 digest-challenge 196 digest-challenge = 1#( realm | [ domain ] | nonce | 197 [ opaque ] |[ stale ] | [ algorithm ] | 198 [ digest-required ] ) 200 realm = "realm" "=" realm-value 201 realm-value = quoted-string 202 domain = "domain" "=" <"> 1#URI <"> 203 nonce = "nonce" "=" nonce-value 204 nonce-value = quoted-string 205 opaque = "opaque" "=" quoted-string 206 stale = "stale" "=" ( "true" | "false" ) 207 algorithm = "algorithm" "=" ( "MD5" | token ) 208 digest-required = "digest-required" 210 The meanings of the values of the parameters used above are as 211 follows: 213 realm 214 A string to be displayed to users so they know which username and 215 password to use. This string should contain at least the name of 216 the host performing the authentication and might additionally 217 indicate the collection of users who might have access. An example 218 might be "registered_users@gotham.news.com". The realm is a 219 "quoted-string" as specified in section 2.2 of the HTTP/1.1 220 specification [2]. 222 domain 223 A comma-separated list of URIs, as specified for HTTP/1.0. The 224 intent is that the client could use this information to know the 225 set of URIs for which the same authentication information should be 226 sent. The URIs in this list may exist on different servers. If 227 this keyword is omitted or empty, the client should assume that the 228 domain consists of all URIs on the responding server. 230 nonce 231 A server-specified data string which may be uniquely generated each 232 time a 401 response is made. It is recommended that this string be 233 base64 or hexadecimal data. Specifically, since the string is 234 passed in the header lines as a quoted string, the double-quote 235 character is not allowed. 237 The contents of the nonce are implementation dependent. The 238 quality of the implementation depends on a good choice. A 239 recommended nonce would include 241 H(client-IP ":" time-stamp ":" private-key ) 243 Where client-IP is the dotted quad IP address of the client making 244 the request, time-stamp is a server-generated time value, private- 245 key is data known only to the server. With a nonce of this form a 246 server would normally recalculate the nonce after receiving the 247 client authentication header and reject the request if it did not 248 match the nonce from that header. In this way the server can limit 249 the reuse of a nonce to the IP address to which it was issued and 250 limit the time of the nonce's validity. Further discussion of the 251 rationale for nonce construction is in section 3.2 below. 253 An implementation might choose not to accept a previously used 254 nonce or a previously used digest to protect against a replay 255 attack. Or, an implementation might choose to use one-time nonces 256 or digests for POST or PUT requests and a time-stamp for GET 257 requests. For more details on the issues involved see section 3. 258 of this document. 260 The nonce is opaque to the client. 262 opaque 263 A string of data, specified by the server, which should be 264 returned by the client unchanged. It is recommended that this 265 string be base64 or hexadecimal data. This field is a 266 "quoted-string" as specified in section 2.2 of the HTTP/1.1 267 specification [2]. 269 stale 270 A flag, indicating that the previous request from the client was 271 rejected because the nonce value was stale. If stale is TRUE (in 272 upper or lower case), the client may wish to simply retry the 273 request with a new encrypted response, without reprompting the 274 user for a new username and password. The server should only set 275 stale to true if it receives a request for which the nonce is 276 invalid but with a valid digest for that nonce (indicating that 277 the client knows the correct username/password). 279 algorithm 280 A string indicating a pair of algorithms used to produce the 281 digest and a checksum. If this not present it is assumed to be 282 "MD5". In this document the string obtained by applying the 283 digest algorithm to the data "data" with secret "secret" will be 284 denoted by KD(secret, data), and the string obtained by applying 285 the checksum algorithm to the data "data" will be denoted 286 H(data). 288 For the "MD5" algorithm 290 H(data) = MD5(data) 292 and 294 KD(secret, data) = H(concat(secret, ":", data)) 296 i.e., the digest is the MD5 of the secret concatenated with a colon 297 concatenated with the data. 299 digest-required 300 A flag, indicating that any request with an entity-body (such as a PUT 301 or a POST) for the resource to which this response applies MUST 302 include the 'digest' attribute in its Authorization header. If the 303 request has no entity-body (such as a GET) then the digest-required 304 field can be ignored. If a request with an entity-body is made without 305 the digest field in response to an authentication header with the 306 digest-required field, then this request is an error and the 307 request MUST not be honored. 309 2.1.2 The Authorization Request Header 311 The client is expected to retry the request, passing an Authorization 312 header line, which is defined as follows. 314 Authorization = "Authorization" ":" "Digest" digest-response 316 digest-response = 1#( username | realm | nonce | digest-uri | 317 response | [ digest ] | [ algorithm ] | 318 opaque | [digest-required] ) 320 username = "username" "=" username-value 321 username-value = quoted-string 322 digest-uri = "uri" "=" digest-uri-value 323 digest-uri-value = request-uri ; As specified by HTTP/1.1 324 response = "response" "=" response-digest 325 digest = "digest" "=" entity-digest 326 opaque = "opaque" "=" quoted-string 327 algorithm = "algorithm" "=" ( "MD5" | token ) 328 digest-required = "digest-required" 330 response-digest = <"> *LHEX <"> 331 entity-digest = <"> *LHEX <"> 332 LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | 333 "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f" 335 The values of the opaque and algorithm fields must be those supplied 336 in the WWW-Authenticate response header for the entity being 337 requested. 339 The digest-required field is a flag, indicating that the response to 340 this request MUST either include the 'digest' field in its 341 Authentication-Info header or the response should be an error 342 message indicating the server is unable or unwilling to supply 343 this field. In the latter case the requested entity MUST not be returned 344 as part of the response. 346 The definitions of response-digest and entity-digest above indicate 347 the encoding for their values. The following definitions show how the 348 value is computed: 350 response-digest = 351 <"> < KD ( H(A1), unquoted nonce-value ":" H(A2) ) > <"> 353 A1 = unquoted username-value ":" unquoted realm-value 354 ":" password 355 password = < user's password > 356 A2 = Method ":" digest-uri-value 358 The "username-value" field is a "quoted-string" as specified in 359 section 2.2 of the HTTP/1.1 specification [2]. However, the 360 surrounding quotation marks are removed in forming the string A1. 361 Thus if the Authorization header includes the fields 363 username="Mufasa", realm="myhost@testrealm.com" 365 and the user Mufasa has password "CircleOfLife" then H(A1) would be 366 H(Mufasa:myhost@testrealm.com:CircleOfLife) with no quotation marks 367 in the digested string. 369 No white space is allowed in any of the strings to which the digest 370 function H() is applied unless that white space exists in the quoted 371 strings or entity body whose contents make up the string to be 372 digested. For example, the string A1 in the illustrated above must 373 be Mufasa:myhost@testrealm.com:CircleOfLife with no white space on 374 either side of the colons. Likewise, the other strings digested by 375 H() must not have white space on either side of the colons which 376 delimit their fields unless that white space was in the quoted 377 strings or entity body being digested. 379 "Method" is the HTTP request method as specified in section 5.1 of 380 [2]. The "request-uri" value is the Request-URI from the request 381 line as specified in section 5.1 of [2]. This may be "*", an 382 "absoluteURL" or an "abs_path" as specified in section 5.1.2 of [2], 383 but it MUST agree with the Request-URI. In particular, it MUST be an 384 "absoluteURL" if the Request-URI is an "absoluteURL". 386 The authenticating server must assure that the document designated by 387 the "uri" parameter is the same as the document served. The purpose 388 of duplicating information from the request URL in this field is to 389 deal with the possibility that an intermediate proxy may alter the 390 client's request. This altered (but presumably semantically 391 equivalent) request would not result in the same digest as that 392 calculated by the client. 394 The optional "digest" field contains a digest of the entity body and 395 some of the associated entity headers. This digest can be useful in 396 both request and response transactions. In a request it can insure 397 the integrity of POST data or data being PUT to the server. In a 398 response it insures the integrity of the served document. The value 399 of the "digest" field is an which is defined as 400 follows. 402 entity-digest = <"> KD (H(A1), unquoted nonce-value ":" Method ":" 403 date ":" entity-info ":" H(entity-body)) <"> 404 ; format is <"> *LHEX <"> 406 date = = rfc1123-date ; see section 3.3.1 of [2] 407 entity-info = H( 408 digest-uri-value ":" 409 media-type ":" ; Content-type, see section 3.7 of [2] 410 *DIGIT ":" ; Content length, see 10.12 of [2] 411 content-coding ":" ; Content-encoding, see 3.5 of [2] 412 last-modified ":" ; last modified date, see 10.25 of [2] 413 expires ; expiration date; see 10.19 of [2] 414 ) 416 last-modified = rfc1123-date ; see section 3.3.1 of [2] 417 expires = rfc1123-date 419 The entity-info elements incorporate the values of the URI used to 420 request the entity as well as the associated entity headers Content- 421 type, Content-length, Content-encoding, Last-modified, and Expires. 422 These headers are all end-to-end headers (see section 13.5.1 of [2]) 423 which must not be modified by proxy caches. The "entity-body" is as 424 specified by section 10.13 of [2] or RFC 1864. 426 Note that not all entities will have an associated URI or all of 427 these headers. For example, an entity which is the data of a POST 428 request will typically not have a digest-uri-value or Last-modified 429 or Expires headers. If an entity does not have a digest-uri-value or 430 a header corresponding to one of the entity-info fields, then that 431 field is left empty in the computation of entity-info. All the 432 colons specified above are present, however. For example the value 433 of the entity-info associated with POST data which has content-type 434 "text/plain", no content-encoding and a length of 255 bytes would be 435 H(:text/plain:255:::). Similarly a request may not have a "Date" 436 header. In this case the date field of the entity-digest should be 437 empty. 439 In the entity-info and entity-digest computations, except for the 440 blank after the comma in "rfc1123-date", there must be no white space 441 between "words" and "tspecials", and exactly one blank between 442 "words" (see section 2.2 of [2]). 444 Implementors should be aware of how authenticated transactions 445 interact with proxy caches. The HTTP/1.1 protocol specifies that 446 when a shared cache (see section 13.10 of [2]) has received a request 447 containing an Authorization header and a response from relaying that 448 request, it MUST NOT return that response as a reply to any other 449 request, unless one of two Cache-control (see section 14.9 of [2]) 450 directives was present in the response. If the original response 451 included the "must-revalidate" Cache-control directive, the cache MAY 452 use the entity of that response in replying to a subsequent request, 453 but MUST first revalidate it with the origin server, using the 454 request headers from the new request to allow the origin server to 455 authenticate the new request. Alternatively, if the original 456 response included the "public" Cache-control directive, the response 457 entity MAY be returned in reply to any subsequent request. 459 2.1.3 The AuthenticationInfo Header 461 When authentication succeeds, the Server may optionally provide a 462 Authentication-info header indicating that the server wants to 463 communicate some information regarding the successful authentication 464 (such as an entity digest or a new nonce to be used for the next 465 transaction). It has two fields, digest and nextnonce. Both are 466 optional. 468 AuthenticationInfo = "Authentication-info" ":" 469 1#( digest | nextnonce ) 471 nextnonce = "nextnonce" "=" nonce-value 473 digest = "digest" "=" entity-digest 475 The optional digest allows the client to verify that the body of the 476 response has not been changed en-route. The server would probably 477 only send this when it has the document and can compute it. The 478 server would probably not bother generating this header for CGI 479 output. The value of the "digest" is an which is 480 computed as described above. 482 The value of the nextnonce parameter is the nonce the server wishes 483 the client to use for the next authentication response. Note that 484 either field is optional. In particular the server may send the 485 Authentication-info header with only the nextnonce field as a means 486 of implementing one-time nonces. If the nextnonce field is present 487 the client is strongly encouraged to use it for the next WWW- 488 Authenticate header. Failure of the client to do so may result in a 489 request to re-authenticate from the server with the "stale=TRUE." 491 2.2 Digest Operation 493 Upon receiving the Authorization header, the server may check its 494 validity by looking up its known password which corresponds to the 495 submitted username. Then, the server must perform the same MD5 496 operation performed by the client, and compare the result to the 497 given response-digest. 499 Note that the HTTP server does not actually need to know the user's 500 clear text password. As long as H(A1) is available to the server, 501 the validity of an Authorization header may be verified. 503 A client may remember the username, password and nonce values, so 504 that future requests within the specified may include the 505 Authorization header preemptively. The server may choose to accept 506 the old Authorization header information, even though the nonce value 507 included might not be fresh. Alternatively, the server could return a 508 401 response with a new nonce value, causing the client to retry the 509 request. By specifying stale=TRUE with this response, the server 510 hints to the client that the request should be retried with the new 511 nonce, without reprompting the user for a new username and password. 513 The opaque data is useful for transporting state information around. 514 For example, a server could be responsible for authenticating content 515 which actually sits on another server. The first 401 response would 516 include a domain field which includes the URI on the second server, 517 and the opaque field for specifying state information. The client 518 will retry the request, at which time the server may respond with a 519 301/302 redirection, pointing to the URI on the second server. The 520 client will follow the redirection, and pass the same Authorization 521 header, including the data which the second server may 522 require. 524 As with the basic scheme, proxies must be completely transparent in 525 the Digest access authentication scheme. That is, they must forward 526 the WWW-Authenticate, Authentication-info and Authorization headers 527 untouched. If a proxy wants to authenticate a client before a request 528 is forwarded to the server, it can be done using the Proxy- 529 Authenticate and Proxy-Authorization headers described in section 2.5 530 below. 532 2.3 Security Protocol Negotiation 534 It is useful for a server to be able to know which security schemes a 535 client is capable of handling. 537 If this proposal is accepted as a required part of the HTTP/1.1 538 specification, then a server may assume Digest support when a client 539 identifies itself as HTTP/1.1 compliant. 541 It is possible that a server may want to require Digest as its 542 authentication method, even if the server does not know that the 543 client supports it. A client is encouraged to fail gracefully if the 544 server specifies any authentication scheme it cannot handle. 546 2.4 Example 548 The following example assumes that an access-protected document is 549 being requested from the server. The URI of the document is 550 "http://www.nowhere.org/dir/index.html". Both client and server know 551 that the username for this document is "Mufasa", and the password is 552 "CircleOfLife". 554 The first time the client requests the document, no Authorization 555 header is sent, so the server responds with: 557 HTTP/1.1 401 Unauthorized 558 WWW-Authenticate: Digest realm="testrealm@host.com", 559 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", 560 opaque="5ccc069c403ebaf9f0171e9517f40e41" 562 The client may prompt the user for the username and password, after 563 which it will respond with a new request, including the following 564 Authorization header: 566 Authorization: Digest username="Mufasa", 567 realm="testrealm@host.com", 568 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", 569 uri="/dir/index.html", 570 response="1949323746fe6a43ef61f9606e7febea", 571 opaque="5ccc069c403ebaf9f0171e9517f40e41" 573 2.5 Proxy-Authentication and Proxy-Authorization 575 The digest authentication scheme may also be used for authenticating 576 users to proxies, proxies to proxies, or proxies to end servers by 577 use of the Proxy-Authenticate and Proxy-Authorization headers. These 578 headers are instances of the general Proxy-Authenticate and Proxy- 579 Authorization headers specified in sections 10.30 and 10.31 of the 580 HTTP/1.1 specification [2] and their behavior is subject to 581 restrictions described there. The transactions for proxy 582 authentication are very similar to those already described. Upon 583 receiving a request which requires authentication, the proxy/server 584 must issue the "HTTP/1.1 401 Unauthorized" header followed by a 585 "Proxy-Authenticate" header of the form 586 Proxy-Authentication = "Proxy-Authentication" ":" "Digest" 587 digest-challenge 589 where digest-challenge is as defined above in section 2.1. The 590 client/proxy must then re-issue the request with a Proxy-Authenticate 591 header of the form 593 Proxy-Authorization = "Proxy-Authorization" ":" 594 digest-response 596 where digest-response is as defined above in section 2.1. When 597 authentication succeeds, the Server may optionally provide a Proxy- 598 Authentication-info header of the form 600 Proxy-Authentication-info = "Proxy-Authentication-info" ":" nextnonce 602 where nextnonce has the same semantics as the nextnonce field in the 603 Authentication-info header described above in section 2.1. 605 Note that in principle a client could be asked to authenticate itself 606 to both a proxy and an end-server. It might receive an "HTTP/1.1 401 607 Unauthorized" header followed by both a WWW-Authenticate and a 608 Proxy-Authenticate header. However, it can never receive more than 609 one Proxy-Authenticate header since such headers are only for 610 immediate connections and must not be passed on by proxies. If the 611 client receives both headers, it must respond with both the 612 Authorization and Proxy-Authorization headers as described above, 613 which will likely involve different combinations of username, 614 password, nonce, etc. 616 3. Security Considerations 618 Digest Authentication does not provide a strong authentication 619 mechanism. That is not its intent. It is intended solely to replace 620 a much weaker and even more dangerous authentication mechanism: Basic 621 Authentication. An important design constraint is that the new 622 authentication scheme be free of patent and export restrictions. 624 Most needs for secure HTTP transactions cannot be met by Digest 625 Authentication. For those needs SSL or SHTTP are more appropriate 626 protocols. In particular digest authentication cannot be used for 627 any transaction requiring encrypted content. Nevertheless many 628 functions remain for which digest authentication is both useful and 629 appropriate. 631 3.1 Comparison with Basic Authentication 633 Both Digest and Basic Authentication are very much on the weak end of 634 the security strength spectrum. But a comparison between the two 635 points out the utility, even necessity, of replacing Basic by Digest. 637 The greatest threat to the type of transactions for which these 638 protocols are used is network snooping. This kind of transaction 639 might involve, for example, online access to a database whose use is 640 restricted to paying subscribers. With Basic authentication an 641 eavesdropper can obtain the password of the user. This not only 642 permits him to access anything in the database, but, often worse, 643 will permit access to anything else the user protects with the same 644 password. 646 By contrast, with Digest Authentication the eavesdropper only gets 647 access to the transaction in question and not to the user's password. 648 The information gained by the eavesdropper would permit a replay 649 attack, but only with a request for the same document, and even that 650 might be difficult. 652 3.2 Replay Attacks 654 A replay attack against digest authentication would usually be 655 pointless for a simple GET request since an eavesdropper would 656 already have seen the only document he could obtain with a replay. 657 This is because the URI of the requested document is digested in the 658 client response and the server will only deliver that document. By 659 contrast under Basic Authentication once the eavesdropper has the 660 user's password, any document protected by that password is open to 661 him. A GET request containing form data could only be "replayed" 662 with the identical data. However, this could be problematic if it 663 caused a CGI script to take some action on the server. 665 Thus, for some purposes, it is necessary to protect against replay 666 attacks. A good digest implementation can do this in various ways. 667 The server created "nonce" value is implementation dependent, but if 668 it contains a digest of the client IP, a time-stamp, and a private 669 server key (as recommended above) then a replay attack is not simple. 670 An attacker must convince the server that the request is coming from 671 a false IP address and must cause the server to deliver the document 672 to an IP address different from the address to which it believes it 673 is sending the document. An attack can only succeed in the period 674 before the time-stamp expires. Digesting the client IP and time- 675 stamp in the nonce permits an implementation which does not maintain 676 state between transactions. 678 For applications where no possibility of replay attack can be 679 tolerated the server can use one-time response digests which will not 680 be honored for a second use. This requires the overhead of the 681 server remembering which digests have been used until the nonce 682 time-stamp (and hence the digest built with it) has expired, but it 683 effectively protects against replay attacks. Instead of maintaining a 684 list of the values of used digests, a server would hash these values 685 and require re-authentication whenever a hash collision occurs. 687 An implementation must give special attention to the possibility of 688 replay attacks with POST and PUT requests. A successful replay 689 attack could result in counterfeit form data or a counterfeit version 690 of a PUT file. The use of one-time digests or one-time nonces is 691 recommended. It is also recommended that the optional be 692 implemented for use with POST or PUT requests to assure the integrity 693 of the posted data. Alternatively, a server may choose to allow 694 digest authentication only with GET requests. Responsible server 695 implementors will document the risks described here as they pertain 696 to a given implementation. 698 3.3 Man in the Middle 700 Both Basic and Digest authentication are vulnerable to "man in the 701 middle" attacks, for example, from a hostile or compromised proxy. 702 Clearly, this would present all the problems of eavesdropping. But 703 it could also offer some additional threats. 705 A simple but effective attack would be to replace the Digest 706 challenge with a Basic challenge, to spoof the client into revealing 707 their password. To protect against this attack, clients should 709 remember if a site has used Digest authentication in the past, and 710 warn the user if the site stops using it. It might also be a good 711 idea for the browser to be configured to demand Digest authentication 712 in general, or from specific sites. 714 Or, a hostile proxy might spoof the client into making a request the 715 attacker wanted rather than one the client wanted. Of course, this 716 is still much harder than a comparable attack against Basic 717 Authentication. 719 There are several attacks on the "digest" field in the 720 Authentication-info header. The attacker can alter any of the 721 entity-headers not incorporated in the computation of the digest, The 722 attacker can alter most of the request headers in the client's 723 request, and can alter any response header in the origin-server's 724 reply, except those headers whose values are incorporated into the 725 "digest" field. 727 Alteration of Accept* or User-Agent request headers can only result 728 in a denial of service attack that returns content in an unacceptable 729 media type or language. Alteration of cache control headers also can 730 only result in denial of service. Alteration of Host will be 731 detected, if the full URL is in the response-digest. Alteration of 732 Referer or From is not important, as these are only hints. 734 3.4 Spoofing by Counterfeit Servers 736 Basic Authentication is vulnerable to spoofing by counterfeit 737 servers. If a user can be led to believe that she is connecting to a 738 host containing information protected by a password she knows, when 739 in fact she is connecting to a hostile server, then the hostile 740 server can request a password, store it away for later use, and feign 741 an error. This type of attack is more difficult with Digest 742 Authentication -- but the client must know to demand that Digest 743 authentication be used, perhaps using some of the techniques 744 described above to counter "man-in-the-middle" attacks. 746 3.5 Storing passwords 748 Digest authentication requires that the authenticating agent (usually 749 the server) store some data derived from the user's name and password 750 in a "password file" associated with a given realm. Normally this 751 might contain pairs consisting of username and H(A1), where H(A1) is 752 the digested value of the username, realm, and password as described 753 above. 755 The security implications of this are that if this password file is 756 compromised, then an attacker gains immediate access to documents on 757 the server using this realm. Unlike, say a standard UNIX password 758 file, this information need not be decrypted in order to access 759 documents in the server realm associated with this file. On the 760 other hand, decryption, or more likely a brute force attack, would be 761 necessary to obtain the user's password. This is the reason that the 762 realm is part of the digested data stored in the password file. It 763 means that if one digest authentication password file is compromised, 764 it does not automatically compromise others with the same username 765 and password (though it does expose them to brute force attack). 767 There are two important security consequences of this. First the 768 password file must be protected as if it contained unencrypted 769 passwords, because for the purpose of accessing documents in its 770 realm, it effectively does. 772 A second consequence of this is that the realm string should be 773 unique among all realms which any single user is likely to use. In 774 particular a realm string should include the name of the host doing 775 the authentication. The inability of the client to authenticate the 776 server is a weakness of Digest Authentication. 778 3.6 Summary 780 By modern cryptographic standards Digest Authentication is weak. But 781 for a large range of purposes it is valuable as a replacement for 782 Basic Authentication. It remedies many, but not all, weaknesses of 783 Basic Authentication. Its strength may vary depending on the 784 implementation. In particular the structure of the nonce (which is 785 dependent on the server implementation) may affect the ease of 786 mounting a replay attack. A range of server options is appropriate 787 since, for example, some implementations may be willing to accept the 788 server overhead of one-time nonces or digests to eliminate the 789 possibility of replay while others may satisfied with a nonce like 790 the one recommended above restricted to a single IP address and with 791 a limited lifetime. 793 The bottom line is that *any* compliant implementation will be 794 relatively weak by cryptographic standards, but *any* compliant 795 implementation will be far superior to Basic Authentication. 797 4. Acknowledgments 799 In addition to the authors, valuable discussion instrumental in 800 creating this document has come from Peter J. Churchyard, Ned Freed, 801 and David M. Kristol. 803 5. References 805 [1] Berners-Lee, T., Fielding, R., and H. Frystyk, 806 "Hypertext Transfer Protocol -- HTTP/1.0", 807 RFC 1945, May 1996. 809 [2] Berners-Lee, T., Fielding, R., and H. Frystyk, 810 "Hypertext Transfer Protocol -- HTTP/1.1" 811 RFC 2068,July 30, 1977. 813 [3] Rivest, R., "The MD5 Message-Digest Algorithm", 814 RFC 1321, April 1992. 816 6. Authors' Addresses 818 John Franks 819 Professor of Mathematics 820 Department of Mathematics 821 Northwestern University 822 Evanston, IL 60208-2730, USA 824 EMail: john@math.nwu.edu 826 Phillip M. Hallam-Baker 827 European Union Fellow 828 CERN 829 Geneva 830 Switzerland 832 EMail: hallam@w3.org 834 Jeffery L. Hostetler 835 Senior Software Engineer 836 Spyglass, Inc. 837 3200 Farber Drive 838 Champaign, IL 61821, USA 840 EMail: jeff@spyglass.com 842 Paul J. Leach 843 Microsoft Corporation 844 1 Microsoft Way 845 Redmond, WA 98052, USA 847 EMail: paulle@microsoft.com 849 Ari Luotonen 850 Member of Technical Staff 851 Netscape Communications Corporation 852 501 East Middlefield Road 853 Mountain View, CA 94043, USA 855 EMail: luotonen@netscape.com 856 Eric W. Sink 857 Senior Software Engineer 858 Spyglass, Inc. 859 3200 Farber Drive 860 Champaign, IL 61821, USA 862 EMail: eric@spyglass.com 864 Lawrence C. Stewart 865 Open Market, Inc. 866 215 First Street 867 Cambridge, MA 02142, USA 869 EMail: stewart@OpenMarket.com