A Example of SASL DIGEST-MD5 Digest Authentication

Subject: A Example of SASL DIGEST-MD5 Digest Authentication
Author: SteveHB
In response to: Type 4 -- The DIGEST-MD5 Digest-Response Validation
Posted on: 06/13/2006 02:04:06 PM

This example shows the use of the Digest SASL mechanism with the IMAP4 AUTHENTICATE command [RFC 2060].

In this example, "C:" and "S:" represent a line sent by the client or server respectively including a CRLF at the end. Linebreaks and indentation within a "C:" or "S:" are editorial and not part of the protocol. The password in this example was "secret". Note that the base64 encoding of the challenges and responses is part of the IMAP4 AUTHENTICATE command, not part of the Digest specification itself.

    C: a AUTHENTICATE DIGEST-MD5
    S: + cmVhbG09ImVsd29vZC5pbm5vc29mdC5jb20iLG5vbmNlPSJPQTZNRzl0
         RVFHbTJoaCIscW9wPSJhdXRoIixhbGdvcml0aG09bWQ1LXNlc3MsY2hh
         cnNldD11dGYtOA==
    C: Y2hhcnNldD11dGYtOCx1c2VybmFtZT0iY2hyaXMiLHJlYWxtPSJlbHdvb2
       QuaW5ub3NvZnQuY29tIixub25jZT0iT0E2TUc5dEVRR20yaGgiLG5jPTAw
       MDAwMDAxLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLGRpZ2VzdC11cmk9Im
       ltYXAvZWx3b29kLmlubm9zb2Z0LmNvbSIscmVzcG9uc2U9ZDM4OGRhZDkw
       ZDRiYmQ3NjBhMTUyMzIxZjIxNDNhZjcscW9wPWF1dGg=
    S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
    C:
    S: a OK User logged in

The base64-decoded version of the SASL exchange is:

    S: realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
       algorithm=md5-sess,charset=utf-8
    C: charset=utf-8,username="chris",realm="elwood.innosoft.com",
       nonce="OA6MG9tEQGm2hh",nc=00000001,cnonce="OA6MHXh6VqTrRk",
       digest-uri="imap/elwood.innosoft.com",
       response=d388dad90d4bbd760a152321f2143af7,qop=auth
    S: rspauth=ea40f60335c427b5527b84dbabcdfffd

>
> On 06/13/2006 01:50:41 PM SteveHB wrote:

Structure:

response-auth = "rspauth" "=" response-value

The server receives and validates the "digest-response". The server checks that the nonce-count is "00000001". If it supports subsequent authentication, it saves the value of the nonce and the nonce-count. It sends 'response-auth' with the 'response-value' being calculated as above, except that if qop is "auth", then A2 is
A2 = { ":", digest-uri-value }

And if qop is "auth-int" or "auth-conf" then A2 is
A2 = { ":", digest-uri-value, ":00000000000000000000000000000000" }

Compared to its use in HTTP, the following Digest directives in the "digest-response" are unused:

nextnonce

qop

cnonce

nonce-count

References:

Next Post: DIGEST-MD5 Integrity Protection SteveHB 06/13/2006 06:20:48 PM
Previous Post: Type 4 -- The DIGEST-MD5 Digest-Response Validation SteveHB 06/13/2006 01:50:41 PM
Next Topic: When and Why DIGEST-MD5 Authentication Does Not Work? SteveHB 06/30/2006 07:03:52 PM
Previous Topic: Supplement LDAP Specifications SteveHB 06/12/2006 06:40:50 PM
Index: by Date
Index: by Topic