draft-ietf-httpauth-digest-update-03.txt   draft-ietf-httpauth-digest-update-04.txt 
HTTPAuth Working Group R. Shekh-Yusef HTTPAuth Working Group R. Shekh-Yusef
Internet-Draft D. Ahrens Internet-Draft D. Ahrens
Updates: 2617 (if approved) Avaya Updates: 2617 (if approved) Avaya
Intended Status: Standards Track July 7, 2013 Intended Status: Standards Track July 13, 2013
Expires: January 8, 2014 Expires: January 14, 2014
HTTP Digest Update HTTP Digest Update
draft-ietf-httpauth-digest-update-03 draft-ietf-httpauth-digest-update-04
Abstract Abstract
This documents specifies extensions to the HTTP Digest Authentication This documents specifies extensions to the HTTP Digest Authentication
mechanism to add support for new digest algorithms to the HTTP Digest mechanism to add support for new digest algorithms to the HTTP Digest
Access Authentication scheme. Access Authentication scheme.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
skipping to change at page 3, line 8 skipping to change at page 3, line 8
4 Security Considerations . . . . . . . . . . . . . . . . . . . . 8 4 Security Considerations . . . . . . . . . . . . . . . . . . . . 8
5 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8 5 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8
6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1 Normative References . . . . . . . . . . . . . . . . . . . 9 6.1 Normative References . . . . . . . . . . . . . . . . . . . 9
6.2 Informative References . . . . . . . . . . . . . . . . . . 9 6.2 Informative References . . . . . . . . . . . . . . . . . . 9
7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 10 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 10
1 Introduction 1 Introduction
This document specifies extensions to the HTTP Digest Access This document specifies extensions to the HTTP Digest Access
Authentication scheme by adding support for SHA2-256 [FIPS 186-3] and Authentication scheme by adding support for SHA2-256 [FIPS 180-3] and
SHA2-512/256 hash algorithms. RFC2617 specifies the MD5 algorithm as SHA2-512/256 [FIPS 180-3] hash algorithms. RFC2617 specifies the MD5
the default hash algorithm used in the digest access authentication algorithm as the default hash algorithm used in the digest access
scheme. Since RFC2617 was first proposed, the MD5 algorithm has been authentication scheme. Since RFC2617 was first proposed, the MD5
broken. In 2008 the US-CERT issued a note that MD5 "should be algorithm has been broken. In 2008 the US-CERT issued a note that
considered cryptographically broken and unsuitable for further use" MD5 "should be considered cryptographically broken and unsuitable for
[CERT-VU]. further use" [CERT-VU].
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC2119]. document are to be interpreted as described in RFC2119 [RFC2119].
2 Syntax Convention 2 Syntax Convention
In the interest of clarity and readability, the extended parameters In the interest of clarity and readability, the extended parameters
skipping to change at page 7, line 5 skipping to change at page 6, line 46
* SHA2-512/256 as a backup algorithm. * SHA2-512/256 as a backup algorithm.
* MD5 for backward compatibility. * MD5 for backward compatibility.
A future version of this document might add SHA3 [SHA3] as a backup A future version of this document might add SHA3 [SHA3] as a backup
algorithm, once its definition has been finalized and published. algorithm, once its definition has been finalized and published.
When the client receives the response it SHOULD use the topmost When the client receives the response it SHOULD use the topmost
header that it supports, unless a local policy dictates otherwise. header that it supports, unless a local policy dictates otherwise.
The client should ignore any challenge it does not understand. The client should ignore any challenge it does not understand.
NOTE: There is some concern around the support for the SHA2-512/256
algorithm in the common implementation of SHA2.
3.5 Example 3.5 Example
The following example is borrowed from RFC2617 and assumes that an The following example is borrowed from RFC2617 and assumes that an
access protected document is being requested from the server via a access protected document is being requested from the server via a
GET request. The URI of the document is GET request. The URI of the document is
http://www.nowhere.org/dir/index.html". Both client and server know http://www.nowhere.org/dir/index.html". Both client and server know
that the username for this document is "Mufasa" and the password is that the username for this document is "Mufasa" and the password is
"Circle of Life" ( with one space between each of the three words). "Circle of Life" ( with one space between each of the three words).
The first time the client requests the document, no Authorization The first time the client requests the document, no Authorization
header is sent, so the server responds with: header is sent, so the server responds with:
HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest WWW-Authenticate: Digest
realm = "testrealm@host.com" realm = "testrealm@host.com",
qop="auth, auth-int", qop="auth, auth-int",
algorithm="SHA2" algorithm="SHA2-256",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41" opaque="5ccc069c403ebaf9f0171e9517f40e41"
WWW-Authenticate: Digest WWW-Authenticate: Digest
realm="testrealm@host.com", realm="testrealm@host.com",
qop="auth, auth-int", qop="auth, auth-int",
algorithm="MD5", algorithm="MD5",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40ef41" opaque="5ccc069c403ebaf9f0171e9517f40ef41"
The client may prompt the user for their username and password, after The client may prompt the user for their username and password, after
which it will respond with a new request, including the following which it will respond with a new request, including the following
Authorization header if the client chooses MD5 digest: Authorization header if the client chooses MD5 digest:
Authorization:Digest username="Mufasa", Authorization:Digest username="Mufasa",
realm="testrealm@host.com" realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html", uri="/dir/index.html",
qop="auth", qop="auth",
algorithm="MD5" algorithm="MD5",
nc=00000001, nc=00000001,
cnonce="0a4f113b", cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1", response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41" opaque="5ccc069c403ebaf9f0171e9517f40e41"
If the client chooses to use the SHA2-256 algorithm for calculating If the client chooses to use the SHA2-256 algorithm for calculating
the response, the client responds with a new request including the the response, the client responds with a new request including the
following Authorization header: following Authorization header:
Authorization:Digest username="Mufasa", Authorization:Digest username="Mufasa",
realm="testrealm@host.com" realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html", uri="/dir/index.html",
qop="auth" qop="auth",
algorithm="SHA2" algorithm="SHA2-256",
nc=00000001 nc=00000001,
cnonce="0a4f113b", cnonce="0a4f113b",
response="5abdd07184ba512a22c53f41470e5eea7dcaa3a93 response="5abdd07184ba512a22c53f41470e5eea7dcaa3a93
a59b630c13dfe0a5dc6e38b", a59b630c13dfe0a5dc6e38b",
opaque="5ccc069c403ebaf9f0171e9517f40e41" opaque="5ccc069c403ebaf9f0171e9517f40e41"
4 Security Considerations 4 Security Considerations
This specification updates the Digest Access Authentication scheme This specification updates the Digest Access Authentication scheme
specified in RFC2617 to add support for the SHA2-256 and SHA2-512/256 specified in RFC2617 to add support for the SHA2-256 and SHA2-512/256
hash algorithms. Support for these additional hash algorithms does hash algorithms. Support for these additional hash algorithms does
skipping to change at page 9, line 19 skipping to change at page 9, line 19
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
6.2 Informative References 6.2 Informative References
[FIPS186-3] National Institute of Standards and Technology [FIPS180-3] National Institute of Standards and Technology
(NIST), FIPS Publication 186-3: Digital Signature (NIST), FIPS Publication 180-3: Digital Signature
Standard, June 2009. Standard, June 2009.
[CERT-VU] Vulnerability Note VU#836068, "MD5 vulnerable to [CERT-VU] Vulnerability Note VU#836068, "MD5 vulnerable to
collision attacks", December 2008. collision attacks", December 2008.
[SHA3] National Institute of Standards and Technology (NIST), [SHA3] National Institute of Standards and Technology (NIST),
"CRYPTOGRAPHIC HASH AND SHA-3 STANDARD DEVELOPMENT". "CRYPTOGRAPHIC HASH AND SHA-3 STANDARD DEVELOPMENT".
http://csrc.nist.gov/groups/ST/hash/index.html http://csrc.nist.gov/groups/ST/hash/index.html
7 Authors' Addresses 7 Authors' Addresses
Rifaat Shekh-Yusef Rifaat Shekh-Yusef
Avaya Avaya
250 Sydney Street 250 Sydney Street
Belleville, Ontario Belleville, Ontario
Canada Canada
Phone: +1-613-967-5267 Phone: +1-613-967-5267
 End of changes. 13 change blocks. 
25 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/