- From: Scott Lawrence <lawrence@agranat.com>
- Date: Tue, 15 Apr 1997 17:25:03 -0400
- To: HTTP Working Group List <http-wg@cuckoo.hpl.hp.com>
The Digest Authentication scheme specifies a mechanism (the 'digest'
attribute of the Authentication-Info and Authorization headers) by
which a protected digest message of the message body and selected
headers may be transmitted. This provides a valuable means of
protecting the message body from modification or replay attacks
based on modifying either the message body or headers, while
preserving the authentication headers.
The mechanism is only valuable, however, if the message recipient
can require that the digest attribute is present; if the attribute
is optional (as currently specified), then an attacker can remove
the attribute, preserving the remainder of the authentication
information, and modify the parts of the message it was meant to
protect.
Our implementation of Digest Authentication includes an attribute
for each resource which may be set to require that a message digest
be supplied in order access the resource (used principally for
submission of a form), but at present there is no way for the
server to communicate this requirement to the browser so that it
knows to generate one.
I suggest that attributes be added to the WWW-Authenticate and
Authorization headers to indicate that a message digest is required
on the subsequent message:
================================================================
in section 2.1.1:
WWW-Authenticate = "WWW-Authenticate" ":" "Digest"
digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ digest-required ] )
...
digest-required = "digest-required"
...
digest-required
A flag, indicating that any request for the resource to which this
response applies must include the 'digest' attribute in its
Authorization header.
================================================================
in section 2.1.2:
Authorization = "Authorization" ":" "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri |
response | [ digest ] | [ algorithm ] |
opaque | digest-required )
...
digest-required = "digest-required"
...
digest-required
A flag, indicating that the response to this request must include
the 'digest' attribute in its Authentication-Info header.
================================================================
There are minor editorial changes to the text which would be needed
to accompany this change; I'll be glad to help with those if we
agree to make this change or one like it.
--
Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com>
Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Tuesday, 15 April 1997 14:28:14 UTC