1

Digest Authentication

Herng-Yow Chen

2

Outline

Theory and practice of digest authentication.

The improvement of Digest Authentication

3

Problem of Basic Authentication

Basic authentication is convenient and flexible but completely insecure.

Usernames and passwords are sent in a clear way (using a base-64 encoding, which can be decoded easily).

Base-64 encoding protects against unintentional accidental viewing but offers no confidentiality protection against malicious parties.

The only way to use basic authentication securely is to use it conjunction with SSL (talk later).

4

Introduction

Digest authentication was developed as a compatible, more secure alternative to basic authentication.

Even though digest authentication is not yet in wide use, the concepts still are important for anyone implementing secure transaction.

5

The improvements of Digest Authentication

Digest authentication is an alternate HTTP authentication protocol that tries to fix the most serious flaws of basic authentication. Never send secret passwords across the

network in the clear Prevent unscrupulous individuals from

capturing and replaying handshakes Optionally can guard against tampering with

message content Guards against several other common forms of

attacks.

6

The improvements of Digest Authentication Cont.

Digest authentication is not the most secure protocol possible. Many needs for secure HTTP transaction cannot be met by digest authentication.

For those needs, Transport Layer Security (TLS) and Secure HTTP (HTTPS) are more appropriate protocols.

However, digest authentication is significantly stronger than basic authentication, which it was designed to replace.

Digest authentication also is stronger than many popular schemes proposed for other Internet services, such as CRAM-MD5, which has been proposed for use with LDAP, POP, and IMAP.

7

The improvements of Digest Authentication Cont.

To date, digest authentication has not been deployed. However, because of the security risks inherent to basic authentication, the HTTP architects counsel in RFC 2617 that “any service in present use that uses Basic should be switched to Digest as soon as practical.

8

Using Digests to Keep Passwords Secret

The motto of digest authentication is “never send the password across the network.”

Instead of sending the password, the client sends a “fingerprint” or “digest” of the password, which is an irreversible scrambling of the password.

The client and the server both know the secret password, so the server can verify that the digest provided is a correct match for the password.

9

Using Digests to Keep Passwords Secret Cont.

Given only the digest, a bad guy has no easy way to find what password it came from, other than going through every password in the universe, trying each one.

However, there are techniques, such as dictionary attacks, where passwords are tried first. These cryptanalysis techniques can dramatically ease the process of cracking passwords.

10

Using Digests for password-obscured authentication

serverclient

Internet(a)Request

Please give me the internal sales forecast.

serverclient

(b)Challenge

You requested a secretfinancial document.Pleasetell me your username and password digests.

serverclient

Internet(c)Authorization

Please give me the internal sales forecast.My username is “bri”My digested password is “A3F5”

serverclient

Internet(d)SuccessOK.The digest you sent mematches the digest of my internal password, so here is the document.

digest(“0w!”)=A3F5 ˇThis is a match!

Internet

Ask user for username and password digest(“0w!”)=A3F5

11

One-Way Digests

A digest is a “condensation of a body of information.” * Merriam-Webster dictionary, 1998.

Digests act as one-way functions, typically converting an infinite number of possible input value into a finite range of condensations.

In theory, it is possible to have two distinct inputs map to the same digest, called a “collision.” In practice, the number of potential outputs is so large that the chance of a collision in real life is vanishingly small and, for the purpose of password matching, unimportant.

12

Message Digest #5 (MD5)

One popular digest function, MD5, converts any arbitrary sequence of bytes, of any length, into a 128-bit digest.

128 bits = 2 128, or about 1,000,000,000,000,000,000,000,000,0

00,000,000,000,000 = 10 39 possible distinct condensations.

13

MD5 Cont.

If you don’t know the secret password, you’ll have an awfully hard time guessing the correct digest to send to the server.

And likewise, if you have the digest, you will have an awfully hard time figuring out which of the effectively infinite number of input values generated it.

14

MD5 Cont.

The 128 bits of MD5 output often are written as 32 hexadecimal characters, each character representing 4 bits.

Digest functions sometimes are called cryptographic checksums, one-way hash functions, or fingerprint functions.

15

MD5 digest examples

Input MD5 digest“Hi” C1A5298F939E87E8F962A

5EDFC206918

“bri:0w!” BEAAA0E34EBDB072F8627C038AB211F8

“3.1415926535897” 475B977E19ECEE70835BC6DF46F4F6DE

“http://www.http-guide.com/index.htm” C617C0C7D1D05F66F595E22A4B0EAAA5

“We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are life, Liberty and the Pursuit of Happiness-That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness.”

66C4EF58DA7CB956BD04233FBB64E0A4

16

Using Nonces to Prevent Replays

One-way digests save us from having to send passwords in the clear. We can just send a digest of the password instead, and rest assured that no malicious party can easily decode the original password from the digest.

Unfortunately, obscured password alone do not save us danger, because a bad guy can capture the digest and replay it over and over again to the server, even though the bad guy doesn’t know the password. The digest is just as good as the password.

17

Using Nonces to Prevent Replays Cont.

To prevent such replay attacks, the server can pass along to the client a special token called a nonce, which changes frequently (perhaps every millisecond, or for every authentication).

The client appends this nonce token to the password before computing the digest.

Mixing the nonce in with the password causes the digest to change each time the nonce change. This prevent replay attacks.

18

Using Nonces to Prevent Replays Cont.

Digest authentication requires the use of nonces, because a trivial replay weakness would make un-nonced digest authentication effectively as weak as basic authentication.

Nonces are passed from server to client in the WWW-Authenticate challenge.

19

The Digest Authentication Handshake

www.ncnu.edu.tw

Client

(1)Server generates nonce

(5)Server verifies digest [generate rspauth digest][generate next nonce]

WWW-Authenticate (challenge)

(2)Server sends realm, nonce, algorithms

(3)Choose algorithm from set [generate response digest] [generate client-nonce]

(7)Client verifies rspauth digest

Authorization (response)(4)Client sends response digest [send algorithm] [send client-nonce]

Authentication-Info (info)

(6)Server sends next nonce

[send client rspauth digest]

20

Basic versus digest authentication syntax

serverclient

serverclient

serverclient

client server

(a)Query

(b)Challenge

(c)Response

(d)Success

GET /cgi-bin/checkout?cart=17854 HTTP/1.1

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm=“Shopping Cart”

GET /cgi-bin/checkout?cart=17854 HTTP/1.1Authorization: Basic YnJpYW4tdG90dHk6T3ch

HTTP/1.1 200 OK…

Shopping CartUsername:Password:

Basic authentication

21

Basic versus digest authentication syntax (cont.)

22

The Security-Related Data (A1)

Algorithm A1

MD5 A1 = <user> : <realm> : <password>

MD5-sess A1 = MD5(<user> : <realm> : <password>) : <nonce> : <cnonce>

23

The Message-Related Data(A2)

qop A2

undefined <request-method> : <uri-directive-value>

auth <request-method> : <uri-directive-value>

auth-int <request-method> : <uri-directive-value> : H(<request-entity-body>)

24

Overall Digest Algorithm

qop Digest algorithm Notes

undefined KD(H(A1), <nonce>:H(A2))

Deprecated

auth or auth-int

KD(H(A1), <nonce>:<nc>:<cnonce>:<qop>:H(A2))

Preferred

25

Overall Digest Algorithm (cont.)

qop Algorithm Unfolded algorithm

undefined <undefine>MD5MD5-sess

MD5(MD5(A1):<nonce>:<MD5>(A2))

auth <undefine>MD5MD5-sess

MD5(MD5(A1):<nonce>:<nc>:<cnonce>:<qop>:<MD5>(A2))

auth-int <undefine>MD5MD5-sess

MD5(MD5(A1):<nonce>:<nc>:<cnonce>:<qop>:<MD5>(A2))

26

Preemptive Authorization

27

Symmetric Authentication

qop A2

undefined <request-method>:<uri-directive-value>

auth <request-method>:<uri-directive-value>

auth-int <request-method>:<uri-directive-value>:H(<request-entity-body>)

28

Symmetric Authentication (cont.)

qop A2

undefined <uri-directive-value>

auth <uri-directive-value>

auth-int <uri-directive-value>:H(<request-entity-body>)

29

Digest Authentication Headers

30

Reference

http://www.ietf.org/rfc/rfc2617.txt RFC 2617,”HTTP Authentication:

Basic and Digest Access Authentication”