Re: Digest access authentication format

On Dec 18, 11:32 pm, yawnmoth <terra1...@xxxxxxxxx> wrote:
From <http://tools.ietf.org/html/rfc2617#section-3.2.2>:

       username         = "username" "=" username-value
       username-value   = quoted-string
       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1

From a Wireshark capture of Digest access authentication:

Authorization: Digest username="test", realm="...",
nonce="AAR638Epy8c=89095bd24b74677157136987475f5b678ca33945", uri="/
path/to/test.php", algorithm=MD5,
response="44ace83593f6562119a38aef0c34b76a", qop=auth, nc=00000007,
cnonce="c4859daa492b97e6"

My question is...  why does uri, in the Wireshark capture, have double
quotes?  username has them because quoted-string (which is what
username-value is defined as) has them but request-uri (which is what
digest-uri-value is defined as), as defined in <http://tools.ietf.org/
html/rfc2616#section-5.1.2> does not appear to.  So why are they there?

Related to this, <http://tools.ietf.org/html/rfc2069#section-2.1.2>'s
Authorization header has an optional parameter - digest. <http://
tools.ietf.org/html/rfc2617#section-3.2.2>, however, makes no mention
of a digest header. Why was the 'digest' header dropped? (note that I
haven't read all of RFC2617 yet so if it's explained further within
that I probably just haven't gotten to that part of it).

Also, what's the point of including an algorithm parameter in the
Authorization header? The domains parameter, as defined in the WWW-
Authorize header, isn't returned in the Authorization header because
presumably it'd serve no point. It seems to me that the algorithm
parameter is similarly pointless? And if the client can pick and
choose what algorithms it wants to use then why does the server send
the algorithm parameter in the WWW-Authorize header? It doesn't seem
to me that RFC2617 has any provisions for algorithm negotiation so
it's not as if the server can say "here's a list of algorithms I
support" and the client can pick among them.
.

Relevant Pages

  • Re: Crypto API and keyed non-HMAC digest algorithms / Michael MIC
    ... >> optional setkey operation for digest algorithms. ... >> algorithm type for keyed hash algorithms, ... IEEE 802.11i draft is not freely available. ... is not very secure (due to compromises needed to support old legacy wlan ...
    (Linux-Kernel)
  • Re: This Weeks Finds in Mathematical Physics (Week 226)
    ... friend who usually prefers to remain anonymous: ... digest of a file, and then, when you send the file to someone, you also send ... I don't know if there are sequences that no algorithm can generate ... Alexander A. Razborov and Steven Rudich, Natural proofs, in ...
    (sci.math.research)
  • Re: [PATCH/proposal] dm-crypt: add digest-based iv generation mode
    ... > straightforward as a cipher or digest should not be necessary. ... algorithm doesn't use external structures. ... But known after the init function. ... So the cra_ctxsize isn't sufficient to describe the length of a tfm ...
    (Linux-Kernel)
  • Re: Login mit JSP md5
    ... Dramatischer ist doch der Weg vom Eingabeformular zum Tomcat-Server? ... Funktion Digest: ... * Digest password using the algorithm especificied and ... * convert the result to a corresponding hex string. ...
    (de.comp.lang.java)
  • Re: md5: 128bit==arbitrary wide?
    ... Timo Nentwig wrote: ... The input to the algorithm has an arbitrary length. ... backwards from a digest value to construct a corresponding input, ... current technology that it is considered practically impossible. ...
    (comp.programming)