MCSE - Somewhat OT: HTTP Authentication - Digest

10-24-2003, 02:33 PM

Not something an mcse absolutely has to know, but someone complained that
there aren't any useful discussions here:

I had a discussion yesterday with a friend about digest http authentication,
what are your thoughts?

A webserver serving a protected document using the digest method answers
initial client requests with a 401 but includes an authentication challenge.
The server generated 401 includes in the header a nonce, a random value.
This nonce is then encrypted along with the client's user name and password
(as well as some other data) and sent back to the server. The original nonce
is also sent back.

The server will then compare the client generated hash value with it's own
calculated value.

Question: In that calculation, does the server use the nonce sent back by
the client or does it *remember* the nonce value it originally sent? The
point why I ask, that would make it a stateful protocol..

If the server does not remember the original nonce value, then the purpose
of the nonce is simply to enable the client to send a different hash value
with every request, even if the same URL is requested over and over again.
That's a good reason for it to exist, but then why does the server generate
and send it in the first place? The client could just generate the nonce
itself..

If the server does remember, it would enable the server to control the
maximum time the client has to authenticate, among other stuff..

Some of those goals are mentioned in RFC 2617 but to us it was not clear if
those requests are realized in http 1.0..

EJ

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[liveupdate] Digest Number 47	Ablang	DVD Video	0	08-14-2004 03:29 AM
Digital DIGEST - LIVE UPDATE Issue 40	Ablang	DVD Video	0	12-15-2003 02:45 PM
Digital DIGEST - LIVE UPDATE Issue 39	Ablang	DVD Video	0	11-29-2003 02:17 AM
DIGITAL DIGEST \| LIVE UPDATE Issue 37	Ablang-Duff	DVD Video	0	09-07-2003 05:24 AM
[liveupdate] Digest Number 29	Ablang	DVD Video	0	07-05-2003 01:55 AM

10-24-2003, 02:33 PM	#1
	Somewhat OT: HTTP Authentication - Digest Not something an mcse absolutely has to know, but someone complained that there aren't any useful discussions here: I had a discussion yesterday with a friend about digest http authentication, what are your thoughts? A webserver serving a protected document using the digest method answers initial client requests with a 401 but includes an authentication challenge. The server generated 401 includes in the header a nonce, a random value. This nonce is then encrypted along with the client's user name and password (as well as some other data) and sent back to the server. The original nonce is also sent back. The server will then compare the client generated hash value with it's own calculated value. Question: In that calculation, does the server use the nonce sent back by the client or does it remember the nonce value it originally sent? The point why I ask, that would make it a stateful protocol.. If the server does not remember the original nonce value, then the purpose of the nonce is simply to enable the client to send a different hash value with every request, even if the same URL is requested over and over again. That's a good reason for it to exist, but then why does the server generate and send it in the first place? The client could just generate the nonce itself.. If the server does remember, it would enable the server to control the maximum time the client has to authenticate, among other stuff.. Some of those goals are mentioned in RFC 2617 but to us it was not clear if those requests are realized in http 1.0.. EJ