draft-ietf-httpauth-digest-update-04.txt   draft-ietf-httpauth-digest-update-05.txt 
HTTPAuth Working Group R. Shekh-Yusef HTTPAuth Working Group R. Shekh-Yusef
Internet-Draft D. Ahrens Internet-Draft D. Ahrens
Updates: 2617 (if approved) Avaya Updates: 2617 (if approved) Avaya
Intended Status: Standards Track July 13, 2013 Intended Status: Standards Track September 2, 2013
Expires: January 14, 2014 Expires: March 6, 2014
HTTP Digest Update HTTP Digest Update
draft-ietf-httpauth-digest-update-04 draft-ietf-httpauth-digest-update-05
Abstract Abstract
This documents specifies extensions to the HTTP Digest Authentication This documents specifies extensions to the HTTP Digest Authentication
mechanism to add support for new digest algorithms to the HTTP Digest mechanism to add support for new digest algorithms to the HTTP Digest
Access Authentication scheme. Access Authentication scheme.
This document also defines an extension to the HTTP Digest
Authentication mechanism to allow the server to indicate its support
for the UTF-8 character encoding scheme.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 2, line 17 skipping to change at page 2, line 22
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Syntax Convention . . . . . . . . . . . . . . . . . . . . . . . 3 2 Syntax Convention . . . . . . . . . . . . . . . . . . . . . . . 3
3 Digest Access Authentication Scheme . . . . . . . . . . . . . . 3 3 Digest Access Authentication Scheme . . . . . . . . . . . . . . 3
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.1 Representation of digest values . . . . . . . . . . . . 3 3.1.1 Representation of digest values . . . . . . . . . . . . 4
3.1.2 Limitations . . . . . . . . . . . . . . . . . . . . . . 4 3.1.2 Limitations . . . . . . . . . . . . . . . . . . . . . . 4
3.2 Specification of Digest Headers . . . . . . . . . . . . . . 4 3.2 Specification of Digest Headers . . . . . . . . . . . . . . 5
3.2.1 The WWW-Authenticate Response Header . . . . . . . . . . 4 3.2.1 The WWW-Authenticate Response Header . . . . . . . . . . 5
3.2.2 The Authorization Request Header . . . . . . . . . . . . 5 3.2.2 The Authorization Request Header . . . . . . . . . . . . 6
3.3 Digest Operation . . . . . . . . . . . . . . . . . . . . . . 6 3.3 Digest Operation . . . . . . . . . . . . . . . . . . . . . . 6
3.4 Security Protocol Operation . . . . . . . . . . . . . . . . 6 3.4 Security Protocol Operation . . . . . . . . . . . . . . . . 6
3.5 Example . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5 Example . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4 Security Considerations . . . . . . . . . . . . . . . . . . . . 8 4 Internationalization . . . . . . . . . . . . . . . . . . . . . 9
5 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8 5 Security Considerations . . . . . . . . . . . . . . . . . . . . 9
6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1 Normative References . . . . . . . . . . . . . . . . . . . 9 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.2 Informative References . . . . . . . . . . . . . . . . . . 9 7.1 Normative References . . . . . . . . . . . . . . . . . . . 10
7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 10 7.2 Informative References . . . . . . . . . . . . . . . . . . 10
8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
1 Introduction 1 Introduction
This document specifies extensions to the HTTP Digest Access This document specifies extensions to the HTTP Digest Access
Authentication scheme by adding support for SHA2-256 [FIPS 180-3] and Authentication scheme by adding support for SHA2-256 [FIPS 180-3] and
SHA2-512/256 [FIPS 180-3] hash algorithms. RFC2617 specifies the MD5 SHA2-512/256 [FIPS 180-3] hash algorithms. RFC2617 specifies the MD5
algorithm as the default hash algorithm used in the digest access algorithm as the default hash algorithm used in the digest access
authentication scheme. Since RFC2617 was first proposed, the MD5 authentication scheme. Since RFC2617 was first proposed, the MD5
algorithm has been broken. In 2008 the US-CERT issued a note that algorithm has been broken. In 2008 the US-CERT issued a note that
MD5 "should be considered cryptographically broken and unsuitable for MD5 "should be considered cryptographically broken and unsuitable for
further use" [CERT-VU]. further use" [CERT-VU].
RFC2617 does not define how to treat Unicode characters [UNICODE]
outside the ASCII range [RFC20] with the "Digest" scheme. This
document also defines an extension to the HTTP Digest Authentication
mechanism to allow the server to indicate its support for the UTF-8
character encoding scheme.
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC2119]. document are to be interpreted as described in RFC2119 [RFC2119].
2 Syntax Convention 2 Syntax Convention
In the interest of clarity and readability, the extended parameters In the interest of clarity and readability, the extended parameters
or the headers and parameters in the examples in this document might or the headers and parameters in the examples in this document might
skipping to change at page 8, line 21 skipping to change at page 9, line 5
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html", uri="/dir/index.html",
qop="auth", qop="auth",
algorithm="SHA2-256", algorithm="SHA2-256",
nc=00000001, nc=00000001,
cnonce="0a4f113b", cnonce="0a4f113b",
response="5abdd07184ba512a22c53f41470e5eea7dcaa3a93 response="5abdd07184ba512a22c53f41470e5eea7dcaa3a93
a59b630c13dfe0a5dc6e38b", a59b630c13dfe0a5dc6e38b",
opaque="5ccc069c403ebaf9f0171e9517f40e41" opaque="5ccc069c403ebaf9f0171e9517f40e41"
4 Security Considerations 4 Internationalization
The "Digest" mechanism allows for new parameters to be defined and
used with Authenticate and Authorization requests. This document
defines a new optional "charset" auth-param that could be used by the
server to indicate the encoding scheme it supports.
In challenges, servers MAY use the "charset" authentication parameter
(case-insensitive) to express the character encoding they expect the
user agent to use.
The only allowed value is "UTF-8", to be matched case-insensitively,
indicating that the server expects the UTF-8 character encoding to be
used ([RFC3629]).
5 Security Considerations
This specification updates the Digest Access Authentication scheme This specification updates the Digest Access Authentication scheme
specified in RFC2617 to add support for the SHA2-256 and SHA2-512/256 specified in RFC2617 to add support for the SHA2-256 and SHA2-512/256
hash algorithms. Support for these additional hash algorithms does hash algorithms. Support for these additional hash algorithms does
not alter the security properties of the Digest Access Authentication not alter the security properties of the Digest Access Authentication
scheme. scheme.
5 Acknowledgments 6 Acknowledgments
The authors would like to thank Geoff Baskwill and Eric Cooper for The authors would like to thank Geoff Baskwill and Eric Cooper for
their careful review and comments on the pre published version of their careful review and comments on the pre published version of
this document. this document.
The authors would also like to thank Stephen Farrell, Yoav Nir, The authors would also like to thank Stephen Farrell, Yoav Nir,
Phillip Hallam-Baker, Manu Sporny, Paul Hoffman, Julian Reschke, and Phillip Hallam-Baker, Manu Sporny, Paul Hoffman, Julian Reschke, and
Sean Turner for their careful review and comments on and off the Sean Turner for their careful review and comments on and off the
mailing list. mailing list.
Special thanks to Yaron Sheffer for his thorough review, comments on Special thanks to Yaron Sheffer for his thorough review, comments on
and off the list, and for the text he provided for the limitation and off the list, and for the text he provided for the limitation
section. section.
6 References 7 References
6.1 Normative References 7.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
6.2 Informative References [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[RFC6365] Hoffman, P., Klensin, J., "Terminology Used in
Internationalization in the IETF", BCP: 166, RFC 6365,
September 2011.
[UNICODE] The Unicode Consortium, "The Unicode Standard,
Version 6.0".
<http://www.unicode.org/versions/Unicode6.0.0/>.
[RFC20] Cerf, V., "ASCII format for Network Interchange", RFC 20,
October 1969.
7.2 Informative References
[FIPS180-3] National Institute of Standards and Technology [FIPS180-3] National Institute of Standards and Technology
(NIST), FIPS Publication 180-3: Digital Signature (NIST), FIPS Publication 180-3: Digital Signature
Standard, June 2009. Standard, June 2009.
[CERT-VU] Vulnerability Note VU#836068, "MD5 vulnerable to [CERT-VU] Vulnerability Note VU#836068, "MD5 vulnerable to
collision attacks", December 2008. collision attacks", December 2008.
[SHA3] National Institute of Standards and Technology (NIST), [SHA3] National Institute of Standards and Technology (NIST),
"CRYPTOGRAPHIC HASH AND SHA-3 STANDARD DEVELOPMENT". "CRYPTOGRAPHIC HASH AND SHA-3 STANDARD DEVELOPMENT".
http://csrc.nist.gov/groups/ST/hash/index.html http://csrc.nist.gov/groups/ST/hash/index.html
7 Authors' Addresses 8 Authors' Addresses
Rifaat Shekh-Yusef Rifaat Shekh-Yusef
Avaya Avaya
250 Sydney Street 250 Sydney Street
Belleville, Ontario Belleville, Ontario
Canada Canada
Phone: +1-613-967-5267 Phone: +1-613-967-5267
Email: rifaat.ietf@gmail.com Email: rifaat.ietf@gmail.com
David Ahrens David Ahrens
Avaya Avaya
4655 Great America Parkway
Santa Clara, CA 95054
Phone: (408) 562-5502 EMail: ahrensdc@gmail.com
EMail: davidahrens@avaya.com
 End of changes. 15 change blocks. 
22 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/