Is Apache Digest authentication more secure or than Basic or not? - McMap

About

Is Apache Digest authentication more secure or than Basic or not?

Asked 3/1, 2014 at 18:18 Answered 3/1, 2014 at 19:55

Solved apache security authentication basic-authentication digest-authentication

W

1

16

On the Authorization intro page, Apache tells us that:

Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure.

while on the mod_auth_digest page, Apache tells us that:

This module implements HTTP Digest Authentication (RFC2617), and provides an alternative to mod_auth_basic where the password is not transmitted as cleartext. However, this does not lead to a significant security advantage over basic authentication. On the other hand, the password storage on the server is much less secure with digest authentication than with basic authentication.

Can someone clarify these seemingly contradictory statements for me? I understand that both ways of handling passwords are vulnerable to replay attacks (unless you're also using SSL) but that seems like a separate issue.

Wenoa answered 3/1, 2014 at 18:18 Comment(3)

mod_auth_digest also says However, this does not lead to a significant security advantage over basic authentication as well. About all you get digest is no passwords in plaintext on the wire, but otherwise no more (and no less) security server-side than with plain. Basically the main auth page is out-of-date. – Colorant 3/1, 2014 at 18:21

Is password storage security different between the two? – Wenoa 3/1, 2014 at 18:32

not sure how digest stores the pws in the AuthUserFile, but for regular plain auth, the hash used is incredibly outdated and offers about as much security as a cereal box decoder ring. – Colorant 3/1, 2014 at 18:53

L

20

With basic authentication the password is sent nearly plain (base64 encoded) to the server and on the server side it gets hashed and compared against the hashed password (stored in htpasswd file or similar). With digest authentication the hashed password is sent to the server (with some server defined data added so replay attacks will not work). But to verify the password you need to have the plain password on the server side (or something close to the plain password). This means, that if the attacker gets access to the htpasswd file it needs to crack all the passwords before they can be used for basic authentication, while if it gets access to the htdigest file it can use it directly for digest authentication.

In summary: basic auth is less secure on the wire, but way more secure to store on the server. Best choice of both would be therefore to use basic auth with SSL. But, both authentication techniques have the disadvantage, that there is no way for a session timeout or explicit logouts, e.g. the browser will stay logged in until it gets closed. This makes attacks like CSRF easier.

Laddie answered 3/1, 2014 at 19:55 Comment(6)

en.wikipedia.org/wiki/Digest_access_authentication seems to say that it's possible to store encrypted digest passwords on the server, but I guess Apache does not? – Wenoa 3/1, 2014 at 20:34

you could store the passwords encrypted, but then you would need to decrypt them before verifying the digest. And its not supported by apache. From the RFC for Basic and Digest auth tools.ietf.org/html/rfc2617#section-4.13: " The security implications of this are that if this password file is compromised, then an attacker gains immediate access to documents on the server using this realm. Unlike, say a standard UNIX password file, this information need not be decrypted in order to access documents in the server realm associated with this file." – Laddie 3/1, 2014 at 20:49

Yea, I found that page too, but it's almost 15 years old! I don't know how to evaluate whether documentation (or stackoverflow answers!) is up to date. – Wenoa 3/1, 2014 at 21:47

The security problems of both authentication protocols have not changed, which is one of the reasons that authentication is today usually done within the web application itself (with support for logout, timeouts...) – Laddie 3/1, 2014 at 22:9

I can store a hash of the password and have apache compare to it with "authtype digest" like this: #hash that apache is checking is md5(username:realm:password) (can do it on cmdline with htdigest.exe) AuthDBDUserRealmQuery "SELECT passwordhash FROM users WHERE username = %s" Isn't that pretty safe? I am not saving the plaintext password and I don't have to decrypt it to verify the digest. – Nicolnicola 15/10, 2014 at 16:53

@rpilkey: you correct, that you can store HA1 (see Wikipedia for the meaning) instead of the password, like you did. But, compromise of HA1 is comparable to a compromise of the password because all the attacker needs for an successful authentication exchange is HA1. Thus the problem is similar to storing the plain password. – Laddie 19/10, 2014 at 19:55

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.