Insisting on a message digest (rfc2069)

   The Digest Authentication scheme specifies a mechanism (the 'digest'
   attribute of the Authentication-Info and Authorization headers) by
   which a protected digest message of the message body and selected
   headers may be transmitted.  This provides a valuable means of
   protecting the message body from modification or replay attacks
   based on modifying either the message body or headers, while
   preserving the authentication headers.

   The mechanism is only valuable, however, if the message recipient
   can require that the digest attribute is present; if the attribute
   is optional (as currently specified), then an attacker can remove
   the attribute, preserving the remainder of the authentication
   information, and modify the parts of the message it was meant to
   protect.

   Our implementation of Digest Authentication includes an attribute
   for each resource which may be set to require that a message digest
   be supplied in order access the resource (used principally for
   submission of a form), but at present there is no way for the
   server to communicate this requirement to the browser so that it
   knows to generate one.

   I suggest that attributes be added to the WWW-Authenticate and
   Authorization headers to indicate that a message digest is required
   on the subsequent message:

   ================================================================
   in section 2.1.1:

     WWW-Authenticate    = "WWW-Authenticate" ":" "Digest"
                              digest-challenge

     digest-challenge    = 1#( realm | [ domain ] | nonce |
                          [ opaque ] |[ stale ] | [ algorithm ] |
                          [ digest-required ] )
   ...
     digest-required     = "digest-required"
   ...

   digest-required
   A flag, indicating that any request for the resource to which this
   response applies must include the 'digest' attribute in its
   Authorization header.

   ================================================================
   in section 2.1.2:

   Authorization       = "Authorization" ":" "Digest" digest-response

   digest-response     = 1#( username | realm | nonce | digest-uri |
                            response | [ digest ] | [ algorithm ] |
                            opaque | digest-required )

   ...
     digest-required     = "digest-required"
   ...

   digest-required
   A flag, indicating that the response to this request must include
   the 'digest' attribute in its Authentication-Info header.

   ================================================================

   There are minor editorial changes to the text which would be needed
   to accompany this change; I'll be glad to help with those if we
   agree to make this change or one like it.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Received on Tuesday, 15 April 1997 14:28:14 UTC