RE: Digest Authentication

We did think of this solution, but that means that we always have to use the
same nonce value and we end up getting no security improvement over basic
authentication - so the argument that it is more secure than basic is bogus
if you do this.

--Dylan

> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
> Sent: Tuesday, October 16, 2001 2:02 PM
> To: Dylan Barrell
> Cc: WebDAV
> Subject: Re: Digest Authentication
>
>
>
>
> On Tue, 16 Oct 2001, Dylan Barrell wrote:
>
> > Digest Authentication requires that a server store its
> passwords in such a
> > way that they be available in clear text format.
>
> Actually though your implementation -could- store the password on disk as
> plain text - most do not; and it is technically not required. Some bad
> implementations do store it plain - but (for example) the apache web
> server stores the password as a hash (md5 or crypt) on the server side.
>
> See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and
> src/support/htdigest.c to get an idea of the code).
>
> So it is not a requirement - just an implementation choise.
>
> It is true that with normal basic auth the password goes over the wire in
> the clear; but with digest auth this is not the case.
>
> Dw

Received on Tuesday, 16 October 2001 14:38:21 UTC