Concept of Digest authentication - does it really work?

Question

As far as i understand, Digest authentication (which is a one way operation) hash the password and transmit the hashed data to the server. The server then will use the stored password, hash it and compare with equality against the received hash password. Supposed to be safe from middle man attack.

What i don't understand is if i'm the middle man hacker, i don't need the original password. Well just use the hash password since that is the one which the server will compared against.

So what's the use of this Digest authentication mechanism? Doesn't seem to work from this general overview.

Answer 1

Digest authentication doesn't work quite the way you've described.

1. The server doesn't store the unhashed password. The server stores a hash of Username:realm:password.
2. The client doesn't send the same hash for every authentication.

Digest auth is a challenge-response protocol. To start the process the client requests a protected URL and the server responds with the realm and a nonce. The client uses the realm and nonce to calculate:

md5(md5(username:realm:password):nonce:md5(httpMethod:uri))

The nonce causes each authentication to produce a different hash value, and in doing so prevents replay attacks. Further, it does provide some (weak) protection against attackers listening in on your communication because the plaintext password doesn't pass over the wire, although this does not stop an attacker from cracking the hash once they have it.