[343] in WWW Security List Archive
The Digest authentication scheme
daemon@ATHENA.MIT.EDU (John Franks)
Wed Jan 25 15:04:02 1995
From: john@math.nwu.edu (John Franks)
To: www-security@ns2.rutgers.edu
Date: Wed, 25 Jan 1995 09:49:52 -0600 (CST)
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Here are some thoughts on the Digest authentication scheme proposed
by Philip Hallam-Baker.
As I understand it this proposal calls for calculating the MD5 signature of
the entire message (and presumably the client also calculates this signature
to validate the integrity of the message).
There are certainly situations where certifying the integrity of every
document, image, icon, and CGI output is necessary, but surely this
constitutes a major step beyond Basic authentication. I think it is
disingenuous to say (as the spec does) that this is "to the maximum
extent possible a direct replacement for the Basic authentication
scheme."
There are also serious efficiency questions with this scheme. Quoting
from the specification at
<http://info.cern.ch/hypertext/WWW/Protocols/HTTP/digest_specification.html>
"Efficiency of signature digest generation
The simplest method of digest generation would simply place the
message digest in the message header. This has the disadvantage that a
signature must be calculated before a message is sent which is
unsatisfactory for large documents stored as files since the file
would have to be read twice [Option Reply-G-1]. Alternatively the
digest could be placed at the very end of the message which would
require only the length of the message to be known in advance, since
this is already calculated this is not a significant
problem. Nevertheless this significantly deviates from the HTTP model
of having all the access data in the header [OptionReply-G-2]."
This is a specification with options for discussion neither of which I
find very palatable. I think this proposal (with some choice of
options) may be very appropriate as a part of S-HTTP, but it goes way
beyond a simple replacement for Basic authentication.
Again a quote from the specification:
"Note that there are in effect two headers, both terminated by two
consecutive CRLF pairs."
This also is a significant deviation from current practice and I find it
quite a stretch to call it a direct replacement for Basic authentication.
The bottom line is that the complexity of implementing this proposal
is such that I fear implementors will opt to wait for a full security
standard to emerge and, as a consequence, the seriously flawed Basic
authentication will continue in widespread use.
By contrast, the SimpleMD5 scheme from Spyglass is much more modest in
its ambitions. It is very easy to implement with very minor protocol
additions and no serious efficiency ramifications. It is a scheme
which we can realistically hope to deploy relatively quickly as a
replacement for Basic authentication.
John Franks
