Talk:Digest access authentication

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computing / Security (Rated B-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
B-Class article B  This article has been rated as B-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computer Security (marked as Mid-importance).
WikiProject Cryptography / Computer science  (Rated B-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
B-Class article B  This article has been rated as B-Class on the quality scale.
 Low  This article has been rated as Low-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Low-importance).

HA1 ???[edit]

In the overview none of the algebraic acronyms are explained. This is not very helpful. What does HA1 stand for. I'm guessing it means HASH 1 .

Could some kind soul. Who knows what they are doing add some explanation under each equation. E.g Where HA1 stands for Hash 1, HA2 stands for hash 2... etc. —Preceding unsigned comment added by (talk) 20:18, 7 November 2009 (UTC)

I agree with the above. I could not find a definition of what HA1 is (even on google!). I added an expand tag to the page. -Andriyko (talk) 01:07, 4 April 2010 (UTC)

If I'm not mistaken, HA1 is simply a hash string. It does not represent a particular hash method; rather, it is the result of applying the MD5 hash algorithm to the "A1" string, which is in turn the concatenation of the user's username, the authentication realm, and the user's password. Anyway, applying an expansion tag just for this is most unnecessary in my opinion. Wyverald (talk) 06:50, 18 April 2010 (UTC)

MD5 security?[edit]

The article talks about "MD5 cryptographic hashing". MD5 has got nothing to do with cryptography. It simply converts a string into a hash value (fingerprint).

It's like putting a meal in a blender: afterwards, it's hard to determine what the meal was. But it's easy to say if it was the same meal as another blended one. Nothing magic, nothing secure, nothing cryptographic.

--Jms 17:58, 30 November 2007 (UTC)

That's might be related to the fact that MD5 is not an ordinary hash function, but a cryptographic hash function. Honeyman (talk) 16:58, 5 March 2010 (UTC)

Strike This Sentence[edit]

"RFC 2617 assumes that the scheme is understood and fails to complete the example," I don't see the relevance of that statement to this article. Miqrogroove 08:57, 24 July 2007 (UTC)

Taking the example in the RFC by itself, it is quite difficult to see how you can get from the inputs to the outputs – at least not without actually writing the code to do it. This Wikipedia article tries to make the example as clear as possible, as a better guide to implementation (or understanding an implementation). Perhaps the sentence needs rewording, but the point is that the article is intended to be more useful than the original specification in this respect. Thanks.  — Lee J Haywood 18:59, 24 July 2007 (UTC)
The encyclopaedia's intentions are relevant to the article? Miqrogroove 01:51, 4 August 2007 (UTC)
Erm, well they're my intentions, not the encyclopaedia's. I think you mean that the sentence is very critical and implies an opinion, which really is irrelevant. The sentence was just an introduction to the second section of the example, but I've seen a way to improve it. I've reworded it now. (: Thanks!  — Lee J Haywood 07:32, 4 August 2007 (UTC)


One of the first sentences is strange... "This method builds upon (and obsoletes) the Basic access authentication, allowing user identity to be established without having to send a password in plaintext over the network."

  • "and obsoletes" is clearly biased and unsupported by any sources.
  • "This method builds upon"... well... HTTP Digest Authentication most likely builds upon previous Digest Authentication schemes.

The article is overly positive towards digest authentication, while completely failing to discuss why Digest Authentication schemes have not been successful - while Form based authentication and HTTP Basic authentication has a much higher adoption/acceptance rate.

The article is missing a discussion on the "3.5 Storing passwords" section of Digest RFC, and more importantly the article fails to discuss that the password also has to be known to the server in order to perform "2.2 Digest Operation". This is key to realizing why Digest Authentication protocols are not well suited for i.e. enterprise authentication solutions (where the authentication server is different from the http server, i.e. an LDAP repository, and HA1/cleartext password is not available to http server).

--Blaufish 13:09, 26 September 2007 (UTC)

OK! Some hours later, I think I have resolved bias the problem! I made a minor change of the sentence, and added sections to discuss both advantages and disadvantages of Digest access authentication. I think this produces a richer and more complete understanding of the topic to the reader.

--Blaufish 20:10, 26 September 2007 (UTC)

Missing reference...[edit]

I agree it is not vulnerable to the most discussed class of MD5 collision attacks -- since they generate a collision from a know (plaintext,hash) pair -- but we should probably have a suitable reference here rather than just claiming it to be so. --Blaufish 13:18, 26 September 2007 (UTC)

I've changed the wording slightly, emphasizing that no MD5 attack has been shown to be a threat to Digest authentication. Also added references to known MD5 attacks. --Blaufish 21:25, 29 September 2007 (UTC)

Browser Implementation Update[edit]

After tests with Microsoft Internet Explorer (MSIE) 6 on 2000 and MSIE 7 on XP and Vista I'm not sure if the limitations mentioned are still present.

Therefore I suggest to update 'In the past ...' or to remove the 'Browser Implementation' section. —Preceding unsigned comment added by Lmuelle (talkcontribs) 17:28, 4 December 2007 (UTC)

The article quotes "Internet Explorer 5.0 and higher" from the source which is misleading since the source is over 6 years old and two version of IE have been released since it was written. This Apache documentation suggests suggest that IE 7 is fully compliant with the RFC. "Internet Explorer 5.x and 6.0" is a much more useful phrasing. (talk) —Preceding undated comment was added at 14:44, 2 November 2008 (UTC).

Firefox is not mentioned here. I will add Firefox, if noone object. There are some other clients as well, mentioned on Apache. Mårten Berglund (talk) 12:19, 25 November 2008 (UTC)
Okey, thanks Mabdul for fixing this! Mårten Berglund (talk) 13:46, 27 November 2008 (UTC)

RFC 2069 or RFC 2617?[edit]

Is RFC-2069 still the correct reference? Or, isn't it superc by RFC-2617?--P Todd (talk) 21:26, 23 July 2008 (UTC)

Extra colon before nonce?[edit]

Is there a colon between HA1 and the nonce? The formulae given in this article suggest there is, however the standards suggest there is not.

RFC 2069 section 2.1.2 states :

        response-digest     =
         <"> < KD ( H(A1), unquoted nonce-value ":" H(A2) > <">

RFC 2617 section confirms this for both qop and non qop cases.

But RFC 2617 section 5 example code gives:

           MD5Update(&Md5Ctx, HA1, HASHLEN);
           MD5Update(&Md5Ctx, ":", 1);
           MD5Update(&Md5Ctx, pszNonce, strlen(pszNonce));

ie, it places a colon before the nonce (like the Wikipedia article).

I cannot believe that both RFC 2069 and RFC 2617 are incorrect, yet I'm reluctant to "correct" this when the example code shows something else. (talk) Andy Henson 15 september 2010. —Preceding undated comment added 15:19, 15 September 2010 (UTC).

Update: Wikipedia is correct. See errata 1796 and 1914 in It seems the , in the standard implies a ":". (talk) Andy Henson 15 September 2010.

How does one actually use digest access authentication?[edit]

Assume that I can write server-side php code and client-side javascript. And I want to make use of digest access authentication. What exactly do I do? A fully worked out concrete example would be most appreciated. — Preceding unsigned comment added by Page Notes (talkcontribs) 17:25, 6 July 2011 (UTC)

Contradictory term[edit]

"reusing the server nonce value" is mentioned in "Example with explanation" below the frame with an example of hashes.

A Cryptographic_nonce is by definition only supposed to be used once. Does it really get reused? — Preceding unsigned comment added by (talk) 07:32, 11 July 2012 (UTC)

The nonce is used in exactly one protocol exchange and then discarded. While it may appear in more than one message these messages form part of a single transaction. (talk) 20:23, 1 November 2012 (UTC)

cnonce versus clientNonce[edit]

In the article we sometimes see "cnonce" (and it is described as client nonce) and other times the article says (in the algorithm details) that clientNonce is needed (e.g. to compute "response=...").

If this really holds the same value, there should be only one of this abbreviation. On the other hand, if they are or could be distinct, it should be noted what the difference is and when they are different — Preceding unsigned comment added by (talk) 14:13, 1 April 2015 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified one external link on Digest access authentication. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

You may set the |checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting |needhelp= to your help request.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—InternetArchiveBot (Report bug) 00:53, 13 December 2016 (UTC)