HTTP Digest Authentication

"Digest" Authentication (Digest authentication) is a simple authentication mechanism, originally developed for the HTTP protocol, and is often called an HTTP digest, described in RFC2671. Its authentication mechanism is simple, it uses hash (hash) encryption method, in order to avoid transmitting the user's password in clear text.
Abstract authentication is to verify that both parties involved in the communication know a secret (i.e. a password) shared by both parties.

When the server wants to verify the identity of the user, it generates a digest cross-examination (Digest challenge) and sends it to the user. Typical summary questioning is as follows:

Digest realm= "iptel.org", qop= "Auth,auth-int",
Nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque= "", ALGORITHM=MD5

This includes a set of parameters that are also sent to the user. The user uses these parameters to generate the correct summary answer and send it to the server. The various parameters in the cross-examination, the meanings are as follows:

Realm: Domain parameters are mandatory and must be in all cross-examination. It is the purpose of identifying the secret in the SIP message. In SIP real-world applications, it is usually set to the domain name that the SIP Proxy Server is responsible for.

When a user is required to enter a user name and password, the SIP user agent displays the contents of this parameter to the user so that the user can use the correct user name and password (this server).

Nonce (current): This is a data string specified by the server, which is different each time the server produces a digest cross-examination (not the same as the previous one). "At present" is usually constructed from some data through the MD5 hash operation. Such data typically includes the time identifier and the server's secret phrase. This ensures that each "present" has a limited lifetime (i.e. it will expire after some time and will never be used in the future) and is unique (that is, no other server can produce the same "current").

The client uses this "current" to generate a digest response (digest response) so that the server receives the "current" content in a digest response. The server checks the validity of the "present" before it checks the other parts of the summary response.

Thus, the "present" is essentially an identifier that ensures that the digest secret received is from a specific summary cross-examination. It also limits the lifetime of the digest interrogation to prevent future replay attacks.


Opaque (not transparent body): This is an opaque (don't let outsiders know what it means) data string, which is sent to the user in cross-examination.

In the digest response, the user sends the data string back to the server. This allows the server to be stateless. If you need to maintain some state between cross-examination and response, you can use this parameter to transfer the status to the client, and then read the status when the digest responds back.

Algorithm (algorithm): This is the algorithm used to compute the hash. Only the MD5 algorithm is currently supported.

Qop (Quality of protection). This parameter specifies which protection scheme the server supports. The client can select one from the list. Value

"Auth" means only the identification, "Auth-int" for the inspection, there are some integrity protection. To see a more detailed description, see RFC2617.

After receiving a summary cross-examination, if not preconfigured, the user agent software usually prompts the user for a user name and password, generates a digest response, and sends the response to the server. For example, the summary response might look like this:

Digest username= "Jan", realm= "iptel.org",
Nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", uri= "sip:iptel.org",
Qop=auth, nc=00000001, cnonce= "0a4f113b",
Response= "6629fae49393a05397450978507c4ef1", opaque= ""

Summary responses are similar to summary interrogations. The same parameters, then the summary cross-examination has the same meaning. Only the new parameters are described here:

URI (Uniform Resource indicator): This parameter contains the URI that the client wants to access.
Qop: How the client chooses to protect it.
NC: "Current" counter, this is a 16 binary value, that is, the number of requests sent by the client (including the current request), which

These "current" values are used in this request. For example, for a given "current" value, in the first request of the response, the client sends "nc=00000001". The purpose of this indicator is to have the server keep a copy of this counter in order to detect duplicate requests. If the same value is seen two times, the request is repeated.

Cnonce: This is also an opaque string value that is provided by the client and used by both the client and the server to avoid clear text. This allows both parties to verify the identity of each other and provide some protection for the integrity of the message.

Response (response): This is a string computed by the user agent software to prove that the user knows the password.

When the server receives a digest response, it also recalculates the values of the parameters in the response, using the parameter values provided by the client and the password stored on the server. If the calculated result is the same as the received customer response value, the customer has proven that it knows the password, and thus the customer's authentication is passed.

HTTP Digest Authentication