What is the difference between Digest and Basic Authentication?
Asked Answered
D

3

261

What is the difference between Digest and Basic Authentication ?

Dreadfully answered 2/3, 2012 at 14:6 Comment(0)
W
269

Digest Authentication communicates credentials in an encrypted form by applying a hash function to: the username, the password, a server supplied nonce value, the HTTP method and the requested URI.

Whereas Basic Authentication uses non-encrypted base64 encoding.

Therefore, Basic Authentication should generally only be used where transport layer security is provided such as https.

See RFC-2617 for all the gory details.

Whereunto answered 2/3, 2012 at 14:10 Comment(5)
how basic authentication is not encrypted ? i used this website to decode the username & password data base64decode.orgDreadfully
Encoding and encrypting are not the same thing. The fact that you are able to decode the credentials using that site show that they are not encrypted.Whereunto
@Whereunto what do you mean by "decode the credentials"? Hashed credentials can't be decoded...Superabound
Right, and basic auth doesn't use hashed credentials, they are base64 encoded.Whereunto
@DotFreelancer To put things in a simple way, encryption requires a key to decrypt using a certain method, whereas for encoding only the method is needed. If the one who receives an encrypted message doesn't have the key, the message cannot be recovered (decrypted).Annikaanniken
K
168

HTTP Basic Access Authentication

  • STEP 1 : the client makes a request for information, sending a username and password to the server in plain text
  • STEP 2 : the server responds with the desired information or an error

Basic Authentication uses base64 encoding (not encryption) for generating our cryptographic string which contains the information of username and password. HTTP Basic doesn’t need to be implemented over SSL, but if you don’t, it isn’t secure at all. So I’m not even going to entertain the idea of using it without.

Pros:

  • Its simple to implement, so your client developers will have less work to do and take less time to deliver, so developers could be more likely to want to use your API
  • Unlike Digest, you can store the passwords on the server in whatever encryption method you like, such as bcrypt, making the passwords more secure
  • Just one call to the server is needed to get the information, making the client slightly faster than more complex authentication methods might be

Cons:

  • SSL is slower to run than basic HTTP so this causes the clients to be slightly slower
  • If you don’t have control of the clients, and can’t force the server to use SSL, a developer might not use SSL, causing a security risk

In Summary – if you have control of the clients, or can ensure they use SSL, HTTP Basic is a good choice. The slowness of the SSL can be cancelled out by the speed of only making one request

Syntax of basic Authentication

Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value> 
// at last Authorization key/value map added to http header as follows
Authorization: <Authorization Value>

HTTP Digest Access Authentication
Digest Access Authentication uses the hashing (i.e digest means cut into small pieces) methodologies to generate the cryptographic result. HTTP Digest access authentication is a more complex form of authentication that works as follows:

  • STEP 1 : a client sends a request to a server
  • STEP 2 : the server responds with a special code (called a i.e. number used only once), another string representing the realm (not a particular page, it could be a group of pages i.e. a partitioned protection space) and asks the client to authenticate
  • STEP 3 : the client responds with this nonce and an encrypted version of the username, password and realm (a hash)
  • STEP 4 : the server responds with the requested information if the client hash matches their own hash of the username, password and realm, or an error if not

Pros:

  • No usernames or passwords are sent to the server in plaintext, making a non-SSL connection more secure than an HTTP Basic request that isn’t sent over SSL. This means SSL isn’t required, which makes each call slightly faster.

Cons:

  • For every call needed, the client must make 2, making the process slightly slower than HTTP Basic
  • HTTP Digest is vulnerable to a man-in-the-middle security attack which basically means it could be hacked
  • HTTP Digest prevents use of the strong password encryption, meaning the passwords stored on the server could be hacked

In Summary, HTTP Digest is inherently vulnerable to at least two attacks, whereas a server using strong encryption for passwords with HTTP Basic over SSL is less likely to share these vulnerabilities.

If you don’t have control over your clients however they could attempt to perform Basic authentication without SSL, which is much less secure than Digest.

RFC 2069 Digest Access Authentication Syntax

Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:Hash2)

RFC 2617 Digest Access Authentication Syntax

Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
//some additional parameters added 

source and example

In Postman looks as follows:

enter image description here

Note:

  • The Basic and Digest schemes are dedicated to the authentication using a username and a secret.
  • The Bearer scheme is dedicated to the authentication using a token. In BA (Basic Authentication) Header Bearer token can be thought of as give access to the bearer of this token.
Kylakylah answered 4/12, 2015 at 22:49 Comment(6)
On your web server could you not just redirect to https for all http requests even if you do no have control of the clients?Hurds
More I think about it more I see your point however. Assuming they submit there credentials via http and get to your site you could redirect, but if they hit a malicious site you can not help.Hurds
Why, with Digest, can you not encrypt your password before storing in the database, and when pulling it out, decrypt it?Savoyard
Although the selected answer is closer to the question, I like this answer since it gives pros and cons for us uninitiated ones.Icken
Excellent Answer, precise and explained the pros and cons.Lynellelynett
I think you're confusing digest as a verb with the noun form with this statement: " digest means cut into small pieces". Digest in this context means a summary of the information, i.e. the hashed credentials.Knitter
H
56

Let us see the difference between the two HTTP authentication using Wireshark (Tool to analyse packets sent or received) .

1. Http Basic Authentication

Basic

As soon as the client types in the correct username:password,as requested by the Web-server, the Web-Server checks in the Database if the credentials are correct and gives the access to the resource .

Here is how the packets are sent and received :

enter image description here In the first packet the Client fill the credentials using the POST method at the resource - lab/webapp/basicauth .In return the server replies back with http response code 200 ok ,i.e, the username:password were correct .

Detail of HTTP packet

Now , In the Authorization header it shows that it is Basic Authorization followed by some random string .This String is the encoded (Base64) version of the credentials admin:aadd (including colon ) .

2 . Http Digest Authentication(rfc 2069)

So far we have seen that the Basic Authentication sends username:password in plaintext over the network .But the Digest Auth sends a HASH of the Password using Hash algorithm.

Here are packets showing the requests made by the client and response from the server .

Digest

As soon as the client types the credentials requested by the server , the Password is converted to a response using an algorithm and then is sent to the server , If the server Database has same response as given by the client the server gives the access to the resource , otherwise a 401 error .

Detailed digest auth packet In the above Authorization , the response string is calculated using the values of Username,Realm,Password,http-method,URI and Nonce as shown in the image :

Response algorithm (colons are included)

Hence , we can see that the Digest Authentication is more Secure as it involve Hashing (MD5 encryption) , So the packet sniffer tools cannot sniff the Password although in Basic Auth the exact Password was shown on Wireshark.

Howsoever answered 21/7, 2017 at 13:45 Comment(4)
This should be the accepted answer as it is more informative and kudos for the charts.Soubrette
Nonsense. Basic Auth is only meant to be used over HTTPS. So the real comparison is Basic Auth over HTTPS versus Digest Auth over HTTP. Seeing as websites are encrypting all their traffic nowadays, you might as well use Basic Auth over HTTPS.Cowes
@Cowes You are confusing yourself with encryption and authentication.Howsoever
@BoRRis, no, he is saying that the unencrypted password will not be visible to packet sniffers, because all traffic including the password is encrypted in https.Scissors

© 2022 - 2024 — McMap. All rights reserved.