10. HTTP Digest Access Authentication

Why MD5 Fails

  • MD5 is weak due to its speed and lack of salting, which makes it vulnerable to pre-computation attacks using Rainbow Tables.
  • Modern systems use slow, adaptive hashing algorithms like bcrypt or Argon2 with a unique salt for each password, rendering these attacks infeasible.
HTTP Digest Access Authentication

Uses a challenge-response mechanism to avoid sending anything that can be directly replayed or looked up in a simple rainbow table.

  1. Client: Requests a protected page.
  2. Server: Responds with a 401 Unauthorized status and a WWW-Authenticate header containing a nonce (a random, one-time-use number).
  3. Client:
    1. Prompts the user for a password.
    2. Calculates a response by hashing the username, the password, the provided nonce, the HTTP method, and the requested URI.
    3. Re-sends the request for the page, this time with an Authorization header containing the calculated hash response and the nonce.
  4. Server:
    1. Performs the exact same calculation on its end with the user's known password.
    2. If the hashes match, access is granted.
    3. This prevents simple replay attacks (because the nonce changes) and protects the password itself from being sent over the wire.
    4. However, it is still vulnerable to MITM attacks where the attacker can capture the hash and attempt an offline brute-force attack.

© 2025 All rights reservedBuilt with Flowershow Cloud

Built with LogoFlowershow Cloud