Subject: DIGEST-MD5 -- Digest Authentication as a SASL Mechanism
Author: SteveHB
Posted on: 06/13/2006 01:08:03 PM
What's DIGEST-MD5?
DIGEST-MD5 is a challenge-response authentication protocol used in conjunction with SASL for digest authentication and optional establishment of a security layer. It specifies the following ciphers for use with the security layer: Triple DES, DES and RC4 (128, 56, and 40 bits).
SASL DIGEST-MD5 employs a challenge-response mechanism for authentication, in which clients are able to prove their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (response). It basically works like this:
The client first sends a Type 1 message containing a request for DIGEST-MD5 to the server.
The server responds with a Type 2 message containing a set of flags supported or required by the server (thus enabling an agreement on the authentication algorithm and ciphers between the server and the client) and, more importantly, a random challenge -- commonly referred to as nonce.
The client uses the challenge obtained from the Type 2 message and the user's credentials to calculate the response. The calculation methods differ based on the DIGEST-MD5 algorithms and ciphers negotiated previously. The client then sends the 'digest-response' to the server in a Type 3 message.
Finally, the server receives and validates the "digest-response". The server checks that the nonce-count is "00000001". If it supports subsequent authentication, it saves the value of the nonce and the nonce-count.
Replies:
References:
