Hi folks, i searched on google for a simple explanation of digest authentication but didn't find any good ones. How does it differ from Basic Authentication other than sending credentials as plain text?
Please give an example of the transaction.
TIA
+1
A:
A hash of the credentials is sent over the wire.
HA1 = MD5(username:realm:password)
Philip Fourie
2010-03-05 02:47:23
from client to server? Could you please provide steps for the interaction?Wikipedia article is good but i need better explanation or example.
SoftwareGeek
2010-03-05 02:49:46
Yes the client generates the hash value and send it to the server. The Wikipedia article describes the protocol in detail, I suggest you reference that for more information.
Philip Fourie
2010-03-05 02:52:40
+4
A:
The only difference, as far as I know, is that it doesn't requires sending the username and password across the wire in plaintext.
The server gives the client a one-time use string (a nonce) that it combines with the username, realm, password and the URI request. The client runs all of those fields through an MD5 hashing method to produce a hash key.
It sends this hash key to the server along with the username and the realm to attempt to authenticate.
Server-side the same method is used to generate a hashkey, only instead of using the password typed in to the browser the server looks up the expected password for the user from its user DB. It looks up the stored password for this username, runs in through the same algorithm and compares it to what the client sent. If they match: access is granted, otherwise it can send back an 401 request to have the user retry or an access denied error (I forget the code sorry).
There's a nice overview of it on Wikipedia: http://en.wikipedia.org/wiki/Digest_access_authentication
Edit: I don't know if I made that any clearer that the wikipedia article, sorry!
You can think of it like this:
- Client makes request
- Client gets back a nonce from the server and a 401 authentication request
- Client sends back the following response array (username, realm, generate_md5_key(nonce, username, realm, URI, password_given_by_user_to_browser)) (yea, that's very simplified)
- The server takes username and realm (plus it knows the URI the client is requesting) and it looks up the password for that username. Then it goes and does its own version of generate_md5_key(nonce, username, realm, URI, password_I_have_for_this_user_in_my_db)
- It compares the output of generate_md5() that it got with the one the client sent, if they match the client sent the correct password. If they don't match the password sent was wrong.
Ian C.
2010-03-05 02:57:35
SoftwareGeek
2010-03-05 03:37:39
They are whatever the user types into the browser. The password needs to match whatever the server has stored for the password for that user. More likely than not it's something specific to that web application and not your Windows password. It very much depends on the way the web application is put together.
Ian C.
2010-03-05 03:48:00