Module: HTTPAuth::Digest

Defined in:

lib/httpauth/digest.rb

Overview

Digest

The Digest class provides a number of methods to handle HTTP Digest Authentication. Generally the server sends a challenge to the client a resource that needs authorization and the client tries to respond with the correct credentials. Digest authentication rapidly becomes more complicated after that, if you want to build an implementation I suggest you at least skim RFC 2617 (www.ietf.org/rfc/rfc2617.txt).

Examples

Digest authentication examples are too large to include in source documentation. Please consult the examples directory for client and server implementations.

The classes and code of the library are set up to be as transparent as possible so integrating the library with any implementation talking HTTP, either trough CGI or directly should be possible.

The ‘Digest’

In Digest authentication the client’s credentials are never sent in plain text over HTTP. You don’t even have to store the passwords in plain text on the server to authenticate clients. The library doesn’t force you to use the digest mechanism, it also works by specifying the username, password and realm. If you do decided to use digests you can generate them in the following way:

H(username + ':' + realm + ':' + password)

Where H returns the MD5 hexdigest of the string. The Utils class defines a method to calculate the digest.

HTTPAuth::Digest::Utils.htdigest(username, realm, password)

The format of this digest is the same in most implementations. Apache’s htdigest tool for instance stores the digests in a textfile like this:

username:realm:digest

Security

Digest authentication is quite a bit more secure than Basic authentication, but it isn’t as secure as SSL. The biggest difference between Basic and Digest authentication is that Digest authentication doesn’t send clear text passwords, but only an MD5 digest. Recent developments in password cracking and mathematics have found several ways to create collisions with MD5 hashes and it’s not infinitely secure. However, it currently still takes a lot of computing power to crack MD5 digests. Checking for brute force attacks in your applications and routinely changing the user credentials and maybe even the realm makes it a lot harder for a cracker to abuse your application.

Defined Under Namespace

Classes: AbstractHeader, AuthenticationInfo, Challenge, Conversions, Credentials, Session, Utils