What is the difference between Digest and Basic Authentication?
Solution 1:
Digest Authentication communicates credentials in an encrypted form by applying a hash function to: the username, the password, a server supplied nonce value, the HTTP method and the requested URI.
Whereas Basic Authentication uses non-encrypted base64 encoding.
Therefore, Basic Authentication should generally only be used where transport layer security is provided such as https.
See RFC-2617 for all the gory details.
Solution 2:
HTTP Basic Access Authentication
- STEP 1 : the client makes a request for information, sending a username and password to the server in plain text
- STEP 2 : the server responds with the desired information or an error
Basic Authentication uses base64 encoding(not encryption) for generating our cryptographic string which contains the information of username and password. HTTP Basic doesn’t need to be implemented over SSL, but if you don’t, it isn’t secure at all. So I’m not even going to entertain the idea of using it without.
Pros:
- Its simple to implement, so your client developers will have less work to do and take less time to deliver, so developers could be more likely to want to use your API
- Unlike Digest, you can store the passwords on the server in whatever encryption method you like, such as bcrypt, making the passwords more secure
- Just one call to the server is needed to get the information, making the client slightly faster than more complex authentication methods might be
Cons:
- SSL is slower to run than basic HTTP so this causes the clients to be slightly slower
- If you don’t have control of the clients, and can’t force the server to use SSL, a developer might not use SSL, causing a security risk
In Summary – if you have control of the clients, or can ensure they use SSL, HTTP Basic is a good choice. The slowness of the SSL can be cancelled out by the speed of only making one request
Syntax of basic Authentication
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>
//at last Authorization key/value map added to http header as follows
Authorization: <Authorization Value>
HTTP Digest Access Authentication
Digest Access Authentication uses the hashing(i.e digest means cut into small pieces) methodologies to generate the cryptographic result. HTTP Digest access authentication is a more complex form of authentication that works as follows:
- STEP 1 : a client sends a request to a server
- STEP 2 : the server responds with a special code (called a nonce i.e. number used only once), another string representing the realm(a hash) and asks the client to authenticate
- STEP 3 : the client responds with this nonce and an encrypted version of the username, password and realm (a hash)
- STEP 4 : the server responds with the requested information if the client hash matches their own hash of the username, password and realm, or an error if not
Pros:
- No usernames or passwords are sent to the server in plaintext, making a non-SSL connection more secure than an HTTP Basic request that isn’t sent over SSL. This means SSL isn’t required, which makes each call slightly faster
Cons:
- For every call needed, the client must make 2, making the process slightly slower than HTTP Basic
- HTTP Digest is vulnerable to a man-in-the-middle security attack which basically means it could be hacked
- HTTP Digest prevents use of the strong password encryption, meaning the passwords stored on the server could be hacked
In Summary, HTTP Digest is inherently vulnerable to at least two attacks, whereas a server using strong encryption for passwords with HTTP Basic over SSL is less likely to share these vulnerabilities.
If you don’t have control over your clients however they could attempt to perform Basic authentication without SSL, which is much less secure than Digest.
RFC 2069 Digest Access Authentication Syntax
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:Hash2)
RFC 2617 Digest Access Authentication Syntax
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
//some additional parameters added
source and example
In Postman looks as follows:
Note:
- The Basic and Digest schemes are dedicated to the authentication using a username and a secret.
- The Bearer scheme is dedicated to the authentication using a token.
Solution 3:
Let us see the difference between the two HTTP authentication using Wireshark
(Tool to analyse packets sent or received) .
1. Http Basic Authentication
As soon as the client types in the correct username:password,as requested by the Web-server, the Web-Server checks in the Database if the credentials are correct and gives the access to the resource .
Here is how the packets are sent and received :
In the first packet the Client fill the credentials using the POST method at the resource - lab/webapp/basicauth
.In return the server replies back with http response code 200 ok ,i.e, the username:password were correct .
Now , In the Authorization
header it shows that it is Basic Authorization followed by some random string .This String is the encoded (Base64) version of the credentials admin:aadd
(including colon ) .
2 . Http Digest Authentication(rfc 2069)
So far we have seen that the Basic Authentication sends username:password in plaintext over the network .But the Digest Auth sends a HASH of the Password using Hash algorithm.
Here are packets showing the requests made by the client and response from the server .
As soon as the client types the credentials requested by the server , the Password is converted to a response
using an algorithm and then is sent to the server , If the server Database has same response as given by the client the server gives the access to the resource , otherwise a 401 error .
In the above Authorization
, the response
string is calculated using the values of Username
,Realm
,Password
,http-method
,URI
and Nonce
as shown in the image :
(colons are included)
Hence , we can see that the Digest Authentication is more Secure as it involve Hashing (MD5 encryption) , So the packet sniffer tools cannot sniff the Password although in Basic Auth the exact Password was shown on Wireshark.