Pages

Tuesday, March 12, 2013

Digest Authentication

Digest authentication addresses the primary weaknesses of basic authentication: sending passwords in plain text. Digest authentication is a challenge/response mechanism, which sends a digest (also known as a hash) instead of a password over the network. A digest is a fixed-size result obtained by applying a mathematical function (called a hash function or digest algorithm) to an arbitrary amount of data. The fixed-size depends upon the level of encryption. For example, if a 128-bit digest consisted of 32 ASCII characters, a 40-bit digest would consist of 10 ASCII characters. When a client attempts to access a resource requiring Digest authentication, IIS send a challenge to the client to create a digest and send it to the server. The client concatenates the password with data known to both the server and the client. The client then applies a digest algorithm (specified by the server) to the combined data. The client sends the resulting digest to the server as the response to the challenge. The server uses the same process as the client to create a digest using a copy of the client's password it obtains from Active Directory, where the password is stored using reversible encryption. If the digest created by the server matches the digest created by the client, IIS authenticates the client. IIS uses a subauthentication DLL (iissuba.dll) to authenticate the user, resulting in a network logon. By itself, Digest authentication is only a slight improvement over Basic authentication. In the absence of SSL/TLS, an attacker could record communication between the client and server. Using this information, the attacker can then use that information to replay the transaction. For more information, see About Authentication in the IIS Documentation (http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiabasc.htm).

 

Pros

  • Sends a digest over the network instead of a password.
  • Works with proxy servers and firewalls.
  • Does not require SSL/TLS for the sake of password protection.

Cons

  • Cannot delegate security credentials.
  • Is only supported by Internet Explorer 5.0 and later.
  • Is subject to replay attacks unless you use SSL/TLS.
  • Requires storing of passwords in cleartext using reversible encryption.
  • Requires the creation of domain accounts for each user in Active Directory.

Implementation

To use Digest authentication in Windows 2000, the server must have access to an Active Directory server that is set up for Digest authentication. For more information, see Enabling and Configuring Authentication in the IIS Documentation (http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiauths.htm?id=76) and Knowledge Base article Q222028, Setting Up Digest Authentication for Use with Internet Information Services 5.0 (http://support.microsoft.com/support/kb/articles/Q222/0/28.asp).

Note   After configuring Active Directory to store passwords using reversible encryption, all users must change their passwords for Active Directory to store each password in this manner.

If you implement Digest authentication, you should also use SSL/TLS to defend against replay attacks. For more information, see Setting up SSL on Your Server in the IIS Documentation (http://www.microsoft.com/windows2000/en/server/iis/htm/core/iisslsc.htm) and Knowledge Base article Q298805, HOW TO: Enable SSL for All Customers Who Interact with Your Web Site (http://support.microsoft.com/support/kb/articles/Q298/8/05.asp).

If your ASP.NET application needs to run as the user authenticated by IIS Digest authentication, use the following Web.config configuration. For more information, see ASP.NET Authentication.

 
<!-- Web.config file -->
<system.web>
   <authentication mode="Windows" />
</system.web>
 

For more information about digest authentication, see the specification (RFC 2069) on the Internet Engineering Task Force (IETF) Web site (http://www.ietf.org/rfc/rfc2069.txt).