HTTP authentication uses methodologies via which web servers and browsers securely exchanges the credentials like usernames and passwords. HTTP authentication, also known as Digest Authentication, implements the predefined methods/standards that use encoding techniques and MD5 cryptographic hashing over the HTTP protocol.

In this article, we are covering the methodologies/standards used for HTTP Authentication.

For the sake of understanding, we will be using our php scripts that will simply capture user name and passwords and we will generate the Authorization value as per the standards.

For http codes visit here

Basic Access Authentication using Base 64 Encoding

In basic Authentication, we will be using base 64 encoding for generating our cryptographic string which contains the information of username and password. Please note we can use any of the encoding techniques like URL, Hexadecimal, or any other we want.

The below example illustrates the concept, we are using Burpsuite for capturing and illustrating the request.

The webpage is asking for input from the client

We are providing “hackingarticles” as User Name and “ignite” as a password.

The syntax of Basic Authentication

Value = username:password

Encoded Value =  base64(Value)

Authorization Value = Basic <Encoded Value> 

In basic authentication, you combine the username and password into a single string using a colon in between.

Value =  hackingarticles:ignite

We then encode this string using base 64 encoding.

Encoded Value = base64 encoded value of hackingarticles:ignite which is aGFja2luZ2FydGljbGVzOmlnbml0ZQ==

Finally, the Authorization Value is obtained by putting the text “Basic” followed by <space> before the encoded value. (We can capture the request using burpsuite to see the result)

The Authorization Value for this example is “Basic aGFja2luZ2FydGljbGVzOmlnbml0ZQ==“. The server receives this value.  

Finally, the server is decrypting the authorization value and returning the entered credentials

Basic Authentication offers less security because it relies only on encoding, allowing anyone to decode the authorization value. To enhance security, we discuss other standards further.

RFC 2069 Digest Access Authentication

Digest Access Authentication uses the hashing methodologies to generate the cryptographic result. Here the final value is sent as a response value.

RFC 2069 authentication is now outdated now and RFC2617 which is an enhanced version of RFC2069 is being used. 

To understand the syntax of RFC 2069, we explain it below.

Syntax of RFC2069

Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:Hash2)

Hash1 contains the MD5 hash value of (username:realm:password) where the realm is any string

provided by server and username and passwords are the input provided by the client.

Hash2 stores the MD5 hash value of (method:digestURI). Where the request method can be GET or POST depending on the page request. DigestURI represents the URL of the page to which the request is sent. 

The client sends the final string as the response to the server, which includes the MD5 hash value of (hash1:nounce:hash2). The system generates hash1 and hash2, and the server provides the nonce as an arbitrary string that can be used only one time.

RFC 2617 Digest Access Authentication

RFC 2617 digest authentication also uses the MD5 hashing algorithm, but the system generates the final hash value with some additional parameters.

Syntax of RFC2617

Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)

Hash1 contains the MD5 hash value of (username:realm:password) where realm is any string

Provided by server and username and passwords are the input provided by the client.

Hash2 contains the MD5 hash value of (method:digestURI). A method can get or post depending on the page request, and digestURI is the URL where the request is sent. 

Then, the application sends the response as the final string to the server, containing the MD5 hash value of (Hash1:nonce:nonceCount:cnonce:qop:Hash2). The process generates Hash1 and Hash2 above. For more details on other parameters, refer to ” https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx”.

The description of the actual working of RFC2617 is provided below.

The webpage is asking for input from the client

We are providing “guest” as User Name and “guest” as a password.

Through burpsuite, we capture the request so that we can capture all the parameters and compare the captured hash values with the hash values that we will generate through any other tool (hash calculator in this case).

We have captured the values for the following parameters

realm="Hacking Articles", nonce="58bac26865505", uri="/auth/02-2617.php", opaque="8d8909139750c6bd277cfe1388314f48", qop=auth, nc=00000001, cnonce="72ae56dde9406045" , response="ac8e3ecd76d33dd482783b8a8b67d8c1",
Hash1 Syntax=MD5(username:realm:password)
hash1 =  md5(guest:Hacking Articles:guest)

Calculated MD5 as follows 2c6165332ebd26709360786bafd2cd49

Hash2 Syntax =MD5 (method:digestURI)

Hash2=MD5 (GET:/auth/02-2617.php)

Calculated MD5 as follows b6a6df472ee01a9dbccba5f5e6271ca8

response Syntax =  MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
response = MD5(2c6165332ebd26709360786bafd2cd49:58bac26865505:00000001:72ae56dde9406045:auth:b6a6df472ee01a9dbccba5f5e6271ca8)

Calculated MD5 as follows: ac8e3ecd76d33dd482783b8a8b67d8c1.

Finally, the response value obtained through the hash calculator is exactly the same as that we have captured with burp suit above. 

Finally, the server is decrypting the response value and the following is the result

To learn more about Steganography and Cryptography. Follow this Link.

Author: Ankit Gupta, the Author, and co-founder of this website, An Ethical Hacker, Telecom Expert, Programmer, India. He Has Found his Deepest Passion To Be Around The World Of Telecom, ISP and Ethical Hacking. Contact Here