What is the difference between Digest and Basic Authentication

Question

User · Answer

Let us see the difference between the two HTTP authentication using Wireshark (Tool to analyse packets sent or received) .

1. Http Basic Authentication

As soon as the client types in the correct username:password,as requested by the Web-server, the Web-Server checks in the Database if the credentials are correct and gives the access to the resource .

Here is how the packets are sent and received :

In the first packet the Client fill the credentials using the POST method at the resource - lab/webapp/basicauth .In return the server replies back with http response code 200 ok ,i.e, the username:password were correct .

Now , In the Authorization header it shows that it is Basic Authorization followed by some random string .This String is the encoded (Base64) version of the credentials admin:aadd (including colon ) .

2 . Http Digest Authentication(rfc 2069)

So far we have seen that the Basic Authentication sends username:password in plaintext over the network .But the Digest Auth sends a HASH of the Password using Hash algorithm.

Here are packets showing the requests made by the client and response from the server .

As soon as the client types the credentials requested by the server , the Password is converted to a response using an algorithm and then is sent to the server , If the server Database has same response as given by the client the server gives the access to the resource , otherwise a 401 error .

In the above Authorization , the response string is calculated using the values of Username,Realm,Password,http-method,URI and Nonce as shown in the image :

(colons are included)

Hence , we can see that the Digest Authentication is more Secure as it involve Hashing (MD5 encryption) , So the packet sniffer tools cannot sniff the Password although in Basic Auth the exact Password was shown on Wireshark.

User · Answer

HTTP Basic Access Authentication     STEP 1   the client makes a request for information  sending a username and password to the server in plain text   STEP 2   the server responds with the desired information or an error     Basic Authentication uses base64 encoding not encryption  for generating our cryptographic string which contains the information of username and password  HTTP Basic doesn   t need to be implemented over SSL  but if you don   t  it isn   t secure at all  So I   m not even going to entertain the idea of using it without   Pros    Its simple to implement  so your client developers will have less work to do and take less time to deliver  so developers could be more likely to want to use your API  Unlike Digest  you can store the passwords on the server in whatever encryption method you like  such as bcrypt  making the passwords more secure Just one call to the server is needed to get the information  making the client slightly faster than more complex authentication methods might be     Cons     SSL is slower to run than basic HTTP so this causes the clients to be slightly slower If you don   t have control of the clients  and can   t force the server to use SSL  a developer might not use SSL  causing a security risk     In Summary     if you have control of the clients  or can ensure they use SSL  HTTP Basic is a good choice  The slowness of the SSL can be cancelled out by the speed of only making one request    Syntax of basic Authentication  Value   username password Encoded Value    base64 Value  Authorization Value   Basic  lt Encoded Value gt     at last Authorization key value map added to http header as follows Authorization   lt Authorization Value gt    HTTP Digest Access Authentication Digest Access Authentication uses the hashing i e digest means cut into small pieces  methodologies to generate the cryptographic result  HTTP Digest access authentication is a more complex form of authentication that works as follows      STEP 1   a client sends a request to a server STEP 2   the server responds with a special code  called a nonce i e  number used only once   another string representing the realm a hash  and asks the client to authenticate STEP 3   the client responds with this nonce and an encrypted version of the username  password and realm  a hash  STEP 4   the server responds with the requested information if the client hash matches their own hash of the username  password and realm  or an error if not    Pros      No usernames or passwords are sent to the server in plaintext  making a non-SSL connection more secure than an HTTP Basic request that isn   t sent over SSL  This means SSL isn   t required  which makes each call slightly faster     Cons      For every call needed  the client must make 2  making the process slightly slower than HTTP Basic HTTP Digest is vulnerable to a man-in-the-middle security attack which basically means it could be hacked HTTP Digest prevents use of the strong password encryption  meaning the passwords stored on the server could be hacked     In Summary  HTTP Digest is inherently vulnerable to at least two attacks  whereas a server using strong encryption for passwords with HTTP Basic over SSL is less likely to share these vulnerabilities   If you don   t have control over your clients however they could attempt to perform Basic authentication without SSL  which is much less secure than Digest     RFC 2069 Digest Access Authentication Syntax  Hash1 MD5 username realm password  Hash2 MD5 method digestURI  response MD5 Hash1 nonce Hash2    RFC 2617 Digest Access Authentication Syntax  Hash1 MD5 username realm password  Hash2 MD5 method digestURI  response MD5 Hash1 nonce nonceCount cnonce qop Hash2    some additional parameters added    source and example  In Postman looks as follows     Note    The Basic and Digest schemes are dedicated to the authentication using a username and a secret  The Bearer scheme is dedicated to the authentication using a token

User · Answer

Digest Authentication communicates credentials in an encrypted form by applying a hash function to  the username  the password  a server supplied nonce value  the HTTP method and the requested URI    Whereas Basic Authentication uses non-encrypted base64 encoding    Therefore  Basic Authentication should generally only be used where transport layer security is provided such as https   See RFC-2617 for all the gory details

User · Answer

Basic Authentication use base 64 Encoding for generating cryptographic string which contains the information of username and password   Digest Access Authentication uses the hashing methodologies to generate the cryptographic result

[http] What is the difference between Digest and Basic Authentication?

Examples related to http

Examples related to authentication

Examples related to https

Examples related to basic-authentication

Examples related to digest-authentication