KD(secret, data) = H(concat(secret, ":", data))
i.e., the digest is the MD5 of the secret concatenated with a colon
concatenated with the data.
2.1.2 The Authorization Request Header
The client is expected to retry the request, passing an Authorization
header line, which is defined as follows.
Authorization = "Authorization" ":" "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri |
response | [ digest ] | [ algorithm ] |
opaque )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
response = "response" "=" response-digest
digest = "digest" "=" entity-digest
response-digest = <"> *LHEX <">
entity-digest = <"> *LHEX <">
LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"
The definitions of response-digest and entity-digest above indicate
the encoding for their values. The following definitions show how the
value is computed:
RFC 2069 Digest Access Authentication January 1997
response-digest =
<"> < KD ( H(A1), unquoted nonce-value ":" H(A2) > <">
A1 = unquoted username-value ":" unquoted realm-value
":" password
password = < user's password >
A2 = Method ":" digest-uri-value
The "username-value" field is a "quoted-string" as specified in
section 2.2 of the HTTP/1.1 specification [2]. However, the
surrounding quotation marks are removed in forming the string A1.
Thus if the Authorization header includes the fields
username="Mufasa", realm="myhost@testrealm.com"
and the user Mufasa has password "CircleOfLife" then H(A1) would be
H(Mufasa:myhost@testrealm.com:CircleOfLife) with no quotation marks
in the digested string.
No white space is allowed in any of the strings to which the digest
function H() is applied unless that white space exists in the quoted
strings or entity body whose contents make up the string to be
digested. For example, the string A1 in the illustrated above must
be Mufasa:myhost@testrealm.com:CircleOfLife with no white space on
either side of the colons. Likewise, the other strings digested by
H() must not have white space on either side of the colons which
delimit their fields unless that white space was in the quoted
strings or entity body being digested.
"Method" is the HTTP request method as specified in section 5.1 of
[2]. The "request-uri" value is the Request-URI from the request
line as specified in section 5.1 of [2]. This may be "*", an
"absoluteURL" or an "abs_path" as specified in section 5.1.2 of [2],
but it MUST agree with the Request-URI. In particular, it MUST be an
"absoluteURL" if the Request-URI is an "absoluteURL".
The authenticating server must assure that the document designated by
the "uri" parameter is the same as the document served. The purpose
of duplicating information from the request URL in this field is to
deal with the possibility that an intermediate proxy may alter the
client's request. This altered (but presumably semantically
equivalent) request would not result in the same digest as that
calculated by the client.
The optional "digest" field contains a digest of the entity body and
some of the associated entity headers. This digest can be useful in
both request and response transactions. In a request it can insure
the integrity of POST data or data being PUT to the server. In a
RFC 2069 Digest Access Authentication January 1997
response it insures the integrity of the served document. The value
of the "digest" field is an <entity-digest> which is defined as
=4= |
