Browse Prior Art Database

Using Digest Authentication as a SASL Mechanism (RFC2831)

IP.com Disclosure Number: IPCOM000003430D
Original Publication Date: 2000-May-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 22 page(s) / 54K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

P. Leach: AUTHOR [+2]

Abstract

This specification defines how HTTP Digest Authentication [Digest] can be used as a SASL [RFC 2222] mechanism for any protocol that has a SASL profile. It is intended both as an improvement over CRAM-MD5 [RFC 2195] and as a convenient way to support a single authentication mechanism for web, mail, LDAP, and other protocols.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 5% of the total text.

Network Working Group P. Leach

Request for Comments: 2831 Microsoft

Category: Standards Track C. Newman

Innosoft

May 2000

Using Digest Authentication as a SASL Mechanism

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This specification defines how HTTP Digest Authentication [Digest]

can be used as a SASL [RFC 2222] mechanism for any protocol that has

a SASL profile. It is intended both as an improvement over CRAM-MD5

[RFC 2195] and as a convenient way to support a single authentication

mechanism for web, mail, LDAP, and other protocols.

Table of Contents

1 INTRODUCTION.....................................................2

1.1 CONVENTIONS AND NOTATION......................................2

1.2 REQUIREMENTS..................................................3

2 AUTHENTICATION...................................................3

2.1 INITIAL AUTHENTICATION........................................3

2.1.1 Step One...................................................3

2.1.2 Step Two...................................................6

2.1.3 Step Three................................................12

2.2 SUBSEQUENT AUTHENTICATION....................................12

2.2.1 Step one..................................................13

2.2.2 Step Two..................................................13

2.3 INTEGRITY PROTECTION.........................................13

2.4 CONFIDENTIALITY PROTECTION...................................14

3 SECURITY CONSIDERATIONS.........................................15

3.1 AUTHENTICATION OF CLIENTS USING DIGEST AUTHENTICATION........15

3.2 COMPARISON OF DIGEST WITH PLAINTEXT PASSWORDS................16

3.3 REPLAY ATTACKS...............................................16

3.4 ONLINE DICTIONARY ATTACKS....................................16

3.5 OFFLINE DICTIONARY ATTACKS...................................16

3.6 MAN IN THE MIDDLE............................................17

3.7 CHOSEN PLAINTEXT ATTACKS.....................................17

3.8 SPOOFING BY COUNTERFEIT SERVERS..............................17

3.9 STORING PASSWORDS............................................17

3.10 MULTIPLE REALMS.............................................18

3.11 SUMMARY.....................................................