Digest Authentication

1
Digest Authentication

• Herng-Yow Chen

2
Outline

• Theory and practice of digest authentication.
• The improvement of Digest Authentication

3
Problem of Basic Authentication

• Basic authentication is convenient and flexible
  but completely insecure.
• Usernames and passwords are sent in a clear way
  (using a base-64 encoding, which can be decoded
  easily).
• Base-64 encoding protects against unintentional
  accidental viewing but offers no confidentiality
  protection against malicious parties.
• The only way to use basic authentication securely
  is to use it conjunction with SSL (talk later).

4
Introduction

• Digest authentication was developed as a
  compatible, more secure alternative to basic
  authentication.
• Even though digest authentication is not yet in
  wide use, the concepts still are important for
  anyone implementing secure transaction.

5
The improvements of Digest Authentication

• Digest authentication is an alternate HTTP
  authentication protocol that tries to fix the
  most serious flaws of basic authentication.
• Never send secret passwords across the network in
  the clear
• Prevent unscrupulous individuals from capturing
  and replaying handshakes
• Optionally can guard against tampering with
  message content
• Guards against several other common forms of
  attacks.

6
The improvements of Digest Authentication Cont.

• Digest authentication is not the most secure
  protocol possible. Many needs for secure HTTP
  transaction cannot be met by digest
  authentication.
• For those needs, Transport Layer Security (TLS)
  and Secure HTTP (HTTPS) are more appropriate
  protocols.
• However, digest authentication is significantly
  stronger than basic authentication, which it was
  designed to replace.
• Digest authentication also is stronger than many
  popular schemes proposed for other Internet
  services, such as CRAM-MD5, which has been
  proposed for use with LDAP, POP, and IMAP.

7
The improvements of Digest Authentication Cont.

• To date, digest authentication has not been
  deployed. However, because of the security risks
  inherent to basic authentication, the HTTP
  architects counsel in RFC 2617 that any service
  in present use that uses Basic should be switched
  to Digest as soon as practical.

8
Using Digests to Keep Passwords Secret

• The motto of digest authentication is never send
  the password across the network.
• Instead of sending the password, the client sends
  a fingerprint or digest of the password,
  which is an irreversible scrambling of the
  password.
• The client and the server both know the secret
  password, so the server can verify that the
  digest provided is a correct match for the
  password.

9
Using Digests to Keep Passwords Secret Cont.

• Given only the digest, a bad guy has no easy way
  to find what password it came from, other than
  going through every password in the universe,
  trying each one.
• However, there are techniques, such as dictionary
  attacks, where passwords are tried first. These
  cryptanalysis techniques can dramatically ease
  the process of cracking passwords.

10
Using Digests for password-obscured
authentication
Please give me the internal sales forecast.
Internet
(a)Request
client
server
You requested a secret financial
document.Please tell me your username and
password digests.
Internet
(b)Challenge
client
server
Ask user for username and password
digest(0w!)A3F5
Please give me the internal sales forecast. My
username is bri My digested password is A3F5
Internet
(c)Authorization
server
client
digest(0w!)A3F5 ? This is a match!
OK.The digest you sent me matches the digest of
my internal password, so here is the document.
Internet
(d)Success
client
server
11
One-Way Digests

• A digest is a condensation of a body of
  information. Merriam-Webster dictionary, 1998.
• Digests act as one-way functions, typically
  converting an infinite number of possible input
  value into a finite range of condensations.
• In theory, it is possible to have two distinct
  inputs map to the same digest, called a
  collision. In practice, the number of potential
  outputs is so large that the chance of a
  collision in real life is vanishingly small and,
  for the purpose of password matching,
  unimportant.

12
Message Digest 5 (MD5)

• One popular digest function, MD5, converts any
  arbitrary sequence of bytes, of any length, into
  a 128-bit digest.
• 128 bits 2 128, or about
• 1,000,000,000,000,000,000,000,000,000,000,000,000,
  000 10 39 possible distinct condensations.

13
MD5 Cont.

• If you dont know the secret password, youll
  have an awfully hard time guessing the correct
  digest to send to the server.
• And likewise, if you have the digest, you will
  have an awfully hard time figuring out which of
  the effectively infinite number of input values
  generated it.

14
MD5 Cont.

• The 128 bits of MD5 output often are written as
  32 hexadecimal characters, each character
  representing 4 bits.
• Digest functions sometimes are called
  cryptographic checksums, one-way hash functions,
  or fingerprint functions.

15
MD5 digest examples
16
Using Nonces to Prevent Replays

• One-way digests save us from having to send
  passwords in the clear. We can just send a digest
  of the password instead, and rest assured that no
  malicious party can easily decode the original
  password from the digest.
• Unfortunately, obscured password alone do not
  save us danger, because a bad guy can capture the
  digest and replay it over and over again to the
  server, even though the bad guy doesnt know the
  password. The digest is just as good as the
  password.

17
Using Nonces to Prevent Replays Cont.

• To prevent such replay attacks, the server can
  pass along to the client a special token called a
  nonce, which changes frequently (perhaps every
  millisecond, or for every authentication).
• The client appends this nonce token to the
  password before computing the digest.
• Mixing the nonce in with the password causes the
  digest to change each time the nonce change. This
  prevent replay attacks.

18
Using Nonces to Prevent Replays Cont.

• Digest authentication requires the use of nonces,
  because a trivial replay weakness would make
  un-nonced digest authentication effectively as
  weak as basic authentication.
• Nonces are passed from server to client in the
  WWW-Authenticate challenge.

19
The Digest Authentication Handshake
Client
www.ncnu.edu.tw
(1)Server generates nonce
WWW-Authenticate (challenge)
(2)Server sends realm, nonce, algorithms
(3)Choose algorithm from set generate
response digest generate client-nonce
Authorization (response)
(4)Client sends response digest send
algorithm send client-nonce
(5)Server verifies digest generate rspauth
digest generate next nonce
Authentication-Info (info)
(7)Client verifies rspauth digest
(6)Server sends next nonce send client rspauth
digest
20
Basic versus digest authentication syntax

• Basic authentication

(a)Query
GET /cgi-bin/checkout?cart17854 HTTP/1.1
client
server
(b)Challenge
client
HTTP/1.1 401 Unauthorized WWW-Authenticate Basic
realmShopping Cart
server
Shopping Cart Username Password
(c)Response
GET /cgi-bin/checkout?cart17854
HTTP/1.1 Authorization Basic YnJpYW4tdG90dHk6T3ch
server
client
(d)Success
HTTP/1.1 200 OK
client
server
21
Basic versus digest authentication syntax (cont.)
22
The Security-Related Data (A1)
23
The Message-Related Data(A2)
24
Overall Digest Algorithm
25
Overall Digest Algorithm (cont.)
26
Preemptive Authorization
27
Symmetric Authentication
28
Symmetric Authentication (cont.)
29
Digest Authentication Headers
30
Reference

• http//www.ietf.org/rfc/rfc2617.txt
• RFC 2617,HTTP Authentication Basic and
  Digest Access Authentication