Digest Access AuthenticationWebServer 2.1 supports digest access authentication (DAA), which is an authentication scheme for HTTP that is more secure than the basic access authentication scheme. The primary advantage of DAA is, unlike basic access authentication, passwords are never transmitted across the Internet in an unencrypted form. The web browser presentation for DAA is essentially the same as for basic access authentication. The user typically is prompted for a user ID and password before being allowed access to a URL. In basic access, passwords are sent as clear text. In digest access, the user ID and password are encrypted using the RSA Data Security, Inc. MD5 Message-Digest Algorithm before being sent. The following shows the interaction going on between the client (browser) and server (web) using DAA. Sequence | | |
1 | Client requests a page. | | | 2 | Server checks if page is password protected (by accessing the AccessLimit file), and if DAA is required. If so, responds with 401 and WWW-Authenticate Response header, which includes a portion of data to be encrypted, the "realm-value", the encryption algorithm to use, and a timed "nonce". | | 3 | Client prompts user for id and password, then sends the user name and encrypted digest to the server. Digest is calculated with User ID password and realm-value. Returns to the server an Authorization Request Header which contains the user id, the digest, the requested page, and the "nonce". | |
4 | Server retrieves User ID record from storage, which contains the password. Digest is calculated, and compared to client's version. Nonce is also evaluated. If successful, an Authentication Info header is sent, which contains the next "nonce" value so that the client can continue to access protected pages without prompting the user. | |
5 | Client receives requested page. |
|