| rfc7616v3.txt | rfc7616.txt | |||
|---|---|---|---|---|
| skipping to change at page 2, line 19 | skipping to change at page 3, line 7 | |||
| modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
| Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Syntax Convention . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Syntax Convention . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. ABNF . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.2. ABNF . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Digest Access Authentication Scheme . . . . . . . . . . . . . 4 | 3. Digest Access Authentication Scheme . . . . . . . . . . . . . 5 | |||
| 3.1. Overall Operation . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Overall Operation . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Representation of Digest Values . . . . . . . . . . . . . 4 | 3.2. Representation of Digest Values . . . . . . . . . . . . . 5 | |||
| 3.3. The WWW-Authenticate Response Header Field . . . . . . . 5 | 3.3. The WWW-Authenticate Response Header Field . . . . . . . 5 | |||
| 3.4. The Authorization Header Field . . . . . . . . . . . . . 8 | 3.4. The Authorization Header Field . . . . . . . . . . . . . 9 | |||
| 3.4.1. Response . . . . . . . . . . . . . . . . . . . . . . 10 | 3.4.1. Response . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.4.2. A1 . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.4.2. A1 . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.4.3. A2 . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 3.4.3. A2 . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.4.4. Username Hashing . . . . . . . . . . . . . . . . . . 11 | 3.4.4. Username Hashing . . . . . . . . . . . . . . . . . . 12 | |||
| 3.4.5. Parameter Values and Quoted-String . . . . . . . . . 12 | 3.4.5. Parameter Values and Quoted-String . . . . . . . . . 12 | |||
| 3.4.6. Various Considerations . . . . . . . . . . . . . . . 12 | 3.4.6. Various Considerations . . . . . . . . . . . . . . . 13 | |||
| 3.5. The Authentication-Info and Proxy-Authentication-Info | 3.5. The Authentication-Info and Proxy-Authentication-Info | |||
| Header Fields . . . . . . . . . . . . . . . . . . . . . . 13 | Header Fields . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.6. Digest Operation . . . . . . . . . . . . . . . . . . . . 15 | 3.6. Digest Operation . . . . . . . . . . . . . . . . . . . . 15 | |||
| 3.7. Security Protocol Negotiation . . . . . . . . . . . . . . 16 | 3.7. Security Protocol Negotiation . . . . . . . . . . . . . . 16 | |||
| 3.8. Proxy-Authenticate and Proxy-Authorization . . . . . . . 16 | 3.8. Proxy-Authenticate and Proxy-Authorization . . . . . . . 17 | |||
| 3.9. Examples . . . . . . . . . . . . . . . . . . . . . . . . 17 | 3.9. Examples . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 3.9.1. Example with SHA-256 and MD5 . . . . . . . . . . . . 17 | 3.9.1. Example with SHA-256 and MD5 . . . . . . . . . . . . 18 | |||
| 3.9.2. Example with SHA-512-256, Charset, and Userhash . . . 18 | 3.9.2. Example with SHA-512-256, Charset, and Userhash . . . 19 | |||
| 4. Internationalization Considerations . . . . . . . . . . . . . 20 | 4. Internationalization Considerations . . . . . . . . . . . . . 20 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.1. Limitations . . . . . . . . . . . . . . . . . . . . . . . 20 | 5.1. Limitations . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.2. Storing Passwords . . . . . . . . . . . . . . . . . . . . 21 | 5.2. Storing Passwords . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.3. Authentication of Clients Using Digest Authentication . . 21 | 5.3. Authentication of Clients Using Digest Authentication . . 22 | |||
| 5.4. Limited-Use Nonce Values . . . . . . . . . . . . . . . . 22 | 5.4. Limited-Use Nonce Values . . . . . . . . . . . . . . . . 23 | |||
| 5.5. Replay Attacks . . . . . . . . . . . . . . . . . . . . . 22 | 5.5. Replay Attacks . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 5.6. Weakness Created by Multiple Authentication Schemes . . . 23 | 5.6. Weakness Created by Multiple Authentication Schemes . . . 24 | |||
| 5.7. Online Dictionary Attacks . . . . . . . . . . . . . . . . 24 | 5.7. Online Dictionary Attacks . . . . . . . . . . . . . . . . 24 | |||
| 5.8. Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . 24 | 5.8. Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . 25 | |||
| 5.9. Chosen Plaintext Attacks . . . . . . . . . . . . . . . . 25 | 5.9. Chosen Plaintext Attacks . . . . . . . . . . . . . . . . 25 | |||
| 5.10. Precomputed Dictionary Attacks . . . . . . . . . . . . . 25 | 5.10. Precomputed Dictionary Attacks . . . . . . . . . . . . . 26 | |||
| 5.11. Batch Brute-Force Attacks . . . . . . . . . . . . . . . . 25 | 5.11. Batch Brute-Force Attacks . . . . . . . . . . . . . . . . 26 | |||
| 5.12. Parameter Randomness . . . . . . . . . . . . . . . . . . 26 | 5.12. Parameter Randomness . . . . . . . . . . . . . . . . . . 26 | |||
| 5.13. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 5.13. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 6.1. Hash Algorithms for HTTP Digest Authentication . . . . . 26 | 6.1. Hash Algorithms for HTTP Digest Authentication . . . . . 27 | |||
| 6.2. Digest Scheme Registration . . . . . . . . . . . . . . . 27 | 6.2. Digest Scheme Registration . . . . . . . . . . . . . . . 28 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 27 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 28 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 29 | 7.2. Informative References . . . . . . . . . . . . . . . . . 30 | |||
| Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . 30 | Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . 31 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 1. Introduction | 1. Introduction | |||
| HTTP provides a simple challenge-response authentication mechanism | HTTP provides a simple challenge-response authentication mechanism | |||
| that may be used by a server to challenge a client request and by a | that may be used by a server to challenge a client request and by a | |||
| client to provide authentication information. This document defines | client to provide authentication information. This document defines | |||
| the HTTP Digest Authentication scheme that can be used with the HTTP | the HTTP Digest Authentication scheme that can be used with the HTTP | |||
| authentication mechanism. | authentication mechanism. | |||
| This document extends but is generally backward compatible with | This document extends but is generally backward compatible with | |||
| skipping to change at page 27, line 46 | skipping to change at page 28, line 41 | |||
| Authentication Scheme Name: Digest | Authentication Scheme Name: Digest | |||
| Pointer to specification text: RFC 7616 | Pointer to specification text: RFC 7616 | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration | [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration | |||
| Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, | Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, | |||
| October 2000, <http://www.rfc-editor.org/info/rfc2978>. | October 2000, <http://www.rfc-editor.org/info/rfc2978>. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | |||
| 2003, <http://www.rfc-editor.org/info/rfc3629>. | 2003, <http://www.rfc-editor.org/info/rfc3629>. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, RFC | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
| <http://www.rfc-editor.org/info/rfc3986>. | <http://www.rfc-editor.org/info/rfc3986>. | |||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | |||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | "Randomness Requirements for Security", BCP 106, RFC 4086, | |||
| DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
| <http://www.rfc-editor.org/info/rfc4086>. | <http://www.rfc-editor.org/info/rfc4086>. | |||
| [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network | [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network | |||
| Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, | Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, | |||
| <http://www.rfc-editor.org/info/rfc5198>. | <http://www.rfc-editor.org/info/rfc5198>. | |||
| [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ | Specifications: ABNF", STD 68, RFC 5234, | |||
| RFC5234, January 2008, | DOI 10.17487/RFC5234, January 2008, | |||
| <http://www.rfc-editor.org/info/rfc5234>. | <http://www.rfc-editor.org/info/rfc5234>. | |||
| [RFC5987] Reschke, J., "Character Set and Language Encoding for | [RFC5987] Reschke, J., "Character Set and Language Encoding for | |||
| Hypertext Transfer Protocol (HTTP) Header Field | Hypertext Transfer Protocol (HTTP) Header Field | |||
| Parameters", RFC 5987, DOI 10.17487/RFC5987, August 2010, | Parameters", RFC 5987, DOI 10.17487/RFC5987, August 2010, | |||
| <http://www.rfc-editor.org/info/rfc5987>. | <http://www.rfc-editor.org/info/rfc5987>. | |||
| [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, DOI | [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, | |||
| 10.17487/RFC6454, December 2011, | DOI 10.17487/RFC6454, December 2011, | |||
| <http://www.rfc-editor.org/info/rfc6454>. | <http://www.rfc-editor.org/info/rfc6454>. | |||
| [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Message Syntax and Routing", RFC | Protocol (HTTP/1.1): Message Syntax and Routing", | |||
| 7230, DOI 10.17487/RFC7230, June 2014, | RFC 7230, DOI 10.17487/RFC7230, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7230>. | <http://www.rfc-editor.org/info/rfc7230>. | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI | Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | |||
| 10.17487/RFC7231, June 2014, | DOI 10.17487/RFC7231, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7231>. | <http://www.rfc-editor.org/info/rfc7231>. | |||
| [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
| Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", | Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", | |||
| RFC 7234, DOI 10.17487/RFC7234, June 2014, | RFC 7234, DOI 10.17487/RFC7234, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7234>. | <http://www.rfc-editor.org/info/rfc7234>. | |||
| [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Authentication", RFC 7235, DOI | Protocol (HTTP/1.1): Authentication", RFC 7235, | |||
| 10.17487/RFC7235, June 2014, | DOI 10.17487/RFC7235, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7235>. | <http://www.rfc-editor.org/info/rfc7235>. | |||
| [RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, | [RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, | |||
| Enforcement, and Comparison of Internationalized Strings | Enforcement, and Comparison of Internationalized Strings | |||
| Representing Usernames and Passwords", RFC 7613, DOI | Representing Usernames and Passwords", RFC 7613, | |||
| 10.17487/RFC7613, August 2015, | DOI 10.17487/RFC7613, August 2015, | |||
| <http://www.rfc-editor.org/info/rfc7613>. | <http://www.rfc-editor.org/info/rfc7613>. | |||
| [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- | [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- | |||
| Authentication-Info Response Header Fields", RFC 7615, DOI | Authentication-Info Response Header Fields", RFC 7615, | |||
| 10.17487/RFC7615, September 2015, | DOI 10.17487/RFC7615, September 2015, | |||
| <http://www.rfc-editor.org/info/rfc7615>. | <http://www.rfc-editor.org/info/rfc7615>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP | [RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP | |||
| AUTHorize Extension for Simple Challenge/Response", RFC | AUTHorize Extension for Simple Challenge/Response", | |||
| 2195, DOI 10.17487/RFC2195, September 1997, | RFC 2195, DOI 10.17487/RFC2195, September 1997, | |||
| <http://www.rfc-editor.org/info/rfc2195>. | <http://www.rfc-editor.org/info/rfc2195>. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, DOI 10.17487/RFC2617, June 1999, | RFC 2617, DOI 10.17487/RFC2617, June 1999, | |||
| <http://www.rfc-editor.org/info/rfc2617>. | <http://www.rfc-editor.org/info/rfc2617>. | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/ | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
| <http://www.rfc-editor.org/info/rfc2818>. | <http://www.rfc-editor.org/info/rfc2818>. | |||
| [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol | [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol | |||
| (LDAP): Authentication Methods and Security Mechanisms", | (LDAP): Authentication Methods and Security Mechanisms", | |||
| RFC 4513, DOI 10.17487/RFC4513, June 2006, | RFC 4513, DOI 10.17487/RFC4513, June 2006, | |||
| <http://www.rfc-editor.org/info/rfc4513>. | <http://www.rfc-editor.org/info/rfc4513>. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| DOI 10.17487/RFC5226, May 2008, | DOI 10.17487/RFC5226, May 2008, | |||
| <http://www.rfc-editor.org/info/rfc5226>. | <http://www.rfc-editor.org/info/rfc5226>. | |||
| [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", RFC | [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", | |||
| 7617, DOI 10.17487/RFC7617, June 2015, | RFC 7617, DOI 10.17487/RFC7617, September 2015, | |||
| <http://www.rfc-editor.org/info/rfc7617>. | <http://www.rfc-editor.org/info/rfc7617>. | |||
| Appendix A. Changes from RFC 2617 | Appendix A. Changes from RFC 2617 | |||
| This document introduces the following changes: | This document introduces the following changes: | |||
| o Adds support for two new algorithms, SHA2-256 as mandatory and | o Adds support for two new algorithms, SHA2-256 as mandatory and | |||
| SHA2-512/256 as a backup, and defines the proper algorithm | SHA2-512/256 as a backup, and defines the proper algorithm | |||
| negotiation. The document keeps the MD5 algorithm support but | negotiation. The document keeps the MD5 algorithm support but | |||
| only for backward compatibility. | only for backward compatibility. | |||
| End of changes. 23 change blocks. | ||||
| 58 lines changed or deleted | 58 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||