Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

An Extension to HTTP : Digest Access Authentication (RFC2069)

IP.com Disclosure Number: IPCOM000002620D
Original Publication Date: 1997-Jan-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 15 page(s) / 39K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Franks: AUTHOR [+7]

Abstract

The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme. This scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network as clear text. A specification for a different authentication scheme is needed to address this severe limitation. This document provides specification for such a scheme, referred to as "Digest Access Authentication". Like Basic, Digest access authentication verifies that both parties to a communication know a shared secret (a password); unlike Basic, this verification can be done without sending the password in the clear, which is Basic's biggest weakness. As with most other authentication protocols, the greatest sources of risks are usually found not in the core protocol itself but in policies and procedures surrounding its use.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 7% of the total text.

Network Working Group J. Franks

Request for Comments: 2069 Northwestern University

Category: Standards Track P. Hallam-Baker

CERN

J. Hostetler

Spyglass, Inc.

P. Leach

Microsoft Corporation

A. Luotonen

Netscape Communications Corporation

E. Sink

Spyglass, Inc.

L. Stewart

Open Market, Inc.

January 1997

An Extension to HTTP : Digest Access Authentication

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Abstract

The protocol referred to as "HTTP/1.0" includes the specification for

a Basic Access Authentication scheme. This scheme is not considered

to be a secure method of user authentication, as the user name and

password are passed over the network as clear text. A specification

for a different authentication scheme is needed to address this

severe limitation. This document provides specification for such a

scheme, referred to as "Digest Access Authentication". Like Basic,

Digest access authentication verifies that both parties to a

communication know a shared secret (a password); unlike Basic, this

verification can be done without sending the password in the clear,

which is Basic's biggest weakness. As with most other authentication

protocols, the greatest sources of risks are usually found not in the

core protocol itself but in policies and procedures surrounding its

use.

Table of Contents

INTRODUCTION...................................................... 2

1.1 PURPOSE .................................................... 2

1.2 OVERALL OPERATION .......................................... 3

1.3 REP...