1 Digest Authentication Herng-Yow Chen

2 Outline Theory and practice of digest authentication. The improvement of Digest Authentication

3 Problem of Basic Authentication Basic authentication is convenient and flexible but completely insecure. Usernames and passwords are sent in a clear way (using a base-64 encoding, which can be decoded easily). Base-64 encoding protects against unintentional accidental viewing but offers no confidentiality protection against malicious parties. The only way to use basic authentication securely is to use it conjunction with SSL (talk later).

4 Introduction Digest authentication was developed as a compatible, more secure alternative to basic authentication. Even though digest authentication is not yet in wide use, the concepts still are important for anyone implementing secure transaction.

5 The improvements of Digest Authentication Digest authentication is an alternate HTTP authentication protocol that tries to fix the most serious flaws of basic authentication. Never send secret passwords across the network in the clear Prevent unscrupulous individuals from capturing and replaying handshakes Optionally can guard against tampering with message content Guards against several other common forms of attacks.

6 The improvements of Digest Authentication Cont. Digest authentication is not the most secure protocol possible. Many needs for secure HTTP transaction cannot be met by digest authentication. For those needs, Transport Layer Security (TLS) and Secure HTTP (HTTPS) are more appropriate protocols. However, digest authentication is significantly stronger than basic authentication, which it was designed to replace. Digest authentication also is stronger than many popular schemes proposed for other Internet services, such as CRAM-MD5, which has been proposed for use with LDAP, POP, and IMAP.

7 The improvements of Digest Authentication Cont. To date, digest authentication has not been deployed. However, because of the security risks inherent to basic authentication, the HTTP architects counsel in RFC 2617 that “ any service in present use that uses Basic should be switched to Digest as soon as practical.

8 Using Digests to Keep Passwords Secret The motto of digest authentication is “ never send the password across the network. ” Instead of sending the password, the client sends a “ fingerprint ” or “ digest ” of the password, which is an irreversible scrambling of the password. The client and the server both know the secret password, so the server can verify that the digest provided is a correct match for the password.

9 Using Digests to Keep Passwords Secret Cont. Given only the digest, a bad guy has no easy way to find what password it came from, other than going through every password in the universe, trying each one. However, there are techniques, such as dictionary attacks, where passwords are tried first. These cryptanalysis techniques can dramatically ease the process of cracking passwords.

10 Using Digests for password- obscured authentication server client Internet (a)Request Please give me the internal sales forecast. server client (b)Challenge You requested a secret financial document.Please tell me your username and password digests. server client Internet (c)Authorization Please give me the internal sales forecast. My username is “ bri ” My digested password is “ A3F5 ” server client Internet (d)Success OK.The digest you sent me matches the digest of my internal password, so here is the document. digest( “ 0w! ” )=A3F5 ˇ This is a match! Internet Ask user for username and password digest( “ 0w! ” )=A3F5

11 One-Way Digests A digest is a “ condensation of a body of information. ” * Merriam-Webster dictionary, Digests act as one-way functions, typically converting an infinite number of possible input value into a finite range of condensations. In theory, it is possible to have two distinct inputs map to the same digest, called a “ collision. ” In practice, the number of potential outputs is so large that the chance of a collision in real life is vanishingly small and, for the purpose of password matching, unimportant.

12 Message Digest #5 (MD5) One popular digest function, MD5, converts any arbitrary sequence of bytes, of any length, into a 128-bit digest. 128 bits = 2 128, or about 1,000,000,000,000,000,000,000,000,000,0 00,000,000,000 = possible distinct condensations.

13 MD5 Cont. If you don ’ t know the secret password, you ’ ll have an awfully hard time guessing the correct digest to send to the server. And likewise, if you have the digest, you will have an awfully hard time figuring out which of the effectively infinite number of input values generated it.

14 MD5 Cont. The 128 bits of MD5 output often are written as 32 hexadecimal characters, each character representing 4 bits. Digest functions sometimes are called cryptographic checksums, one-way hash functions, or fingerprint functions.

15 MD5 digest examples InputMD5 digest “ Hi ” C1A5298F939E87E8F962A5EDF C “ bri:0w! ” BEAAA0E34EBDB072F8627C03 8AB211F8 “ ” 475B977E19ECEE70835BC6DF 46F4F6DE “ ” C617C0C7D1D05F66F595E22A 4B0EAAA5 “ We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are life, Liberty and the Pursuit of Happiness-That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness. ” 66C4EF58DA7CB956BD04233F BB64E0A4

16 Using Nonces to Prevent Replays One-way digests save us from having to send passwords in the clear. We can just send a digest of the password instead, and rest assured that no malicious party can easily decode the original password from the digest. Unfortunately, obscured password alone do not save us danger, because a bad guy can capture the digest and replay it over and over again to the server, even though the bad guy doesn ’ t know the password. The digest is just as good as the password.

17 Using Nonces to Prevent Replays Cont. To prevent such replay attacks, the server can pass along to the client a special token called a nonce, which changes frequently (perhaps every millisecond, or for every authentication). The client appends this nonce token to the password before computing the digest. Mixing the nonce in with the password causes the digest to change each time the nonce change. This prevent replay attacks.

18 Using Nonces to Prevent Replays Cont. Digest authentication requires the use of nonces, because a trivial replay weakness would make un-nonced digest authentication effectively as weak as basic authentication. Nonces are passed from server to client in the WWW-Authenticate challenge.

19 The Digest Authentication Handshake Client (1)Server generates nonce (5)Server verifies digest [generate rspauth digest] [generate next nonce] WWW-Authenticate (challenge) (2)Server sends realm, nonce, algorithms (3)Choose algorithm from set [generate response digest] [generate client-nonce] (7)Client verifies rspauth digest Authorization (response) (4)Client sends response digest [send algorithm] [send client-nonce] Authentication-Info (info) (6)Server sends next nonce [send client rspauth digest]

20 Basic versus digest authentication syntax server client server client server client server (a)Query (b)Challenge (c)Response (d)Success GET /cgi-bin/checkout?cart=17854 HTTP/1.1 HTTP/ Unauthorized WWW-Authenticate: Basic realm= “ Shopping Cart ” GET /cgi-bin/checkout?cart=17854 HTTP/1.1 Authorization: Basic YnJpYW4tdG90dHk6T3ch HTTP/ OK … Shopping Cart Username: Password: Basic authentication

21 Basic versus digest authentication syntax (cont.)

22 The Security-Related Data (A1) AlgorithmA1 MD5A1 = : : MD5-sessA1 = MD5( : : ) : :

23 The Message-Related Data(A2) qopA2 undefined : auth : auth-int : : H( )

24 Overall Digest Algorithm qopDigest algorithmNotes undefinedKD(H(A1), :H(A2)) Deprecated auth or auth-intKD(H(A1), : : : :H(A2)) Preferred

25 Overall Digest Algorithm (cont.) qopAlgorithmUnfolded algorithm undefined MD5 MD5-sess MD5(MD5(A1): : (A2)) auth MD5 MD5-sess MD5(MD5(A1): : : : : (A2)) auth-int MD5 MD5-sess MD5(MD5(A1): : : : : (A2))

26 Preemptive Authorization

27 Symmetric Authentication qopA2 undefined : auth : auth-int : :H( )

28 Symmetric Authentication (cont.) qopA2 undefined auth auth-int :H( )

29 Digest Authentication Headers

30 Reference RFC 2617, ” HTTP Authentication: Basic and Digest Access Authentication ”