I have MD5 hashes of passwords in a database that I want to use against HTTP AUTH DIGEST. But in reading the docs, it looks like the digest hash contains a hash of the username,realm and plaintext password. Is there any way to use the MD5 hash of the password in this situation?
+2
A:
No. If the hash they need is generated like so:
MD5(username + realm + password)
You are out of luck.
If they are hashing the password like so:
MD5(MD5(password) + username + realm)
You'd be able to do that with just the hashed password. But it doesn't sound like that's what's going on.
Spencer Ruport
2009-08-10 21:24:38
Thanks, I was afraid that was the case.
2009-08-11 01:52:59
A:
No, you have to store in the tables the HA1 hash of Digest and use that for other types of auth (forms and Basic). See here: http://stackoverflow.com/questions/1000281/storing-password-in-tables-and-digest-authentication
Remus Rusanu
2009-08-10 21:24:52
+2
A:
No, this is not possible. The whole point of digest authentication is to avoid replay attacks, i.e. were somebody has only a hashed version (of some authentication data) rather than the real data.
Not only is it a hash of username, real, and plaintext password, but also a nonce, which will change every time. So you really need the plaintext password.
Martin v. Löwis
2009-08-10 21:25:48
A:
No. In digest authentication, the password is hashed with a challenge, there is no way to make it work with another hash.
Basic auth over HTTPS is more secure and it should work with your hashed password.
ZZ Coder
2009-08-10 21:27:30