Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Concept of Digest authentication - does it really work?

Tags:

security

As far as i understand, Digest authentication (which is a one way operation) hash the password and transmit the hashed data to the server. The server then will use the stored password, hash it and compare with equality against the received hash password. Supposed to be safe from middle man attack.

What i don't understand is if i'm the middle man hacker, i don't need the original password. Well just use the hash password since that is the one which the server will compared against.

So what's the use of this Digest authentication mechanism? Doesn't seem to work from this general overview.

like image 249
yapkm01 Avatar asked Sep 01 '13 12:09

yapkm01

People also ask

How secure is digest authentication?

Digest authentication is secure due to the way it passes authentication information over the network. Usernames and passwords are never sent. Instead, IIS uses a message digest (or hash) to verify the user's credentials.

How does digestion authentication work?

Unlike the plaintext scheme used by Basic authentication, Digest authentication has the client send a hash of the client's information over the communication channel, therefore the client's user name and password are never sent over the network.

What is digest authentication scheme?

Digest authentication is a challenge-response scheme that is intended to replace Basic authentication. The server sends a string of random data called a nonce to the client as a challenge. The client responds with a hash that includes the user name, password, and nonce, among additional information.

What is the difference between basic authentication and digest authentication?

The main difference between Basic Authentication and Digest Authentication is how the credentials sent through the network. Basic Authentication mechanism sends credentials in 'clear text'. Whereas, Digest Authentication sends credentials in MD5 hashed form.

1 Answers

Digest authentication doesn't work quite the way you've described.

  1. The server doesn't store the unhashed password. The server stores a hash of Username:realm:password.
  2. The client doesn't send the same hash for every authentication.

Digest auth is a challenge-response protocol. To start the process the client requests a protected URL and the server responds with the realm and a nonce. The client uses the realm and nonce to calculate:

md5(md5(username:realm:password):nonce:md5(httpMethod:uri))

The nonce causes each authentication to produce a different hash value, and in doing so prevents replay attacks. Further, it does provide some (weak) protection against attackers listening in on your communication because the plaintext password doesn't pass over the wire, although this does not stop an attacker from cracking the hash once they have it.

like image 88
Syon Avatar answered Nov 05 '22 03:11

Syon
Sign in to Comment

Related questions

Oracle hide columns from certain users
What makes the FederatedAuthentication.SessionAuthenticationModule return NULL?
System.Web.Security doesn't exist in assemblies
Restricting MySQL 3306 port with IPTABLES
Can I check whether the user has set a passcode?
How to prevent SQL Injection in Wordpress?
Checking SFTP/SSH fingerprint in SSH.NET
Simple server-side Flask session variable
How do I allow a iframe with a content security policy (CSP)
Can argv be changed at runtime (not by the app itself)
Password complexity strategies - any evidence for them?
What is the correct/safest way to escape input in a forum?
Is php fileinfo sufficient to prevent upload of malicious files?
Restricting access to records. Is claim-based permissions a good idea
Is it possible for a malicious website to steal my cookies from another website?
PHP & cron: security issues
CouchDB Authentication
Execute shell command in Tomcat
howsecureismypassword.com algorithm
How do I prevent anonymous users from deleting/editing my documents in couchDB?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!