Understanding Digest Authentication

This article is an extended version of my last article, Understanding Basic Authentication, exploring more about Digest Authentication, especially how it works, how to implement it, and the differences between Basic and Digest Authentications.

Digest Authentication

Digest Authentication is a more secure alternative to Basic Authentication. Instead of sending the credentials in plaintext (Base64), it uses MD5 hashing along with a challenge-response mechanism. This prevents passwords from being directly intercepted, making it more secure than Basic Authentication.

Implementation

Follow these steps to implement Digest Authentication on the Apache server:

• Install Apache using yum command:

sudo install httpd -y

• Create a protected directory:

sudo mkdir -p /var/www/html/digest

/digest can be anything.

• Create the Digest password file:

sudo htdigest -c /etc/httpd/conf.d/.digestpass "Digest Auth" username

1. Ener and confirm the password.
2. The AuthName value must match the Apache configuration ("Digest Auth" in this case).

• Verify the Digest password file:

cat /etc/httpd/conf.d/.digestpass

• Edit the Apache configuration file:

sudo vi /etc/httpd/conf/httpd.conf

Add the following inside the <Directory "/var/www/html"> section:

<Directory "/var/www/html/digest">
    AuthType Digest
    AuthName "Digest Auth"
    AuthUserFile /etc/httpd/conf.d/.digestpass
    Require valid-user
</Directory>

• Create an index.html file in the protected directory:

sudo vi /var/www/html/digest/index.html

Add what you want to display when the user is authorized:

You're successfully authorized

1. Press i to start typing, turning on the INSERT MODE.
2. Press esc, type :wq, and press Enter to save the file and exit the INSERT MODE.

• Restart the Apache server:

sudo systemctl restart httpd

• Test the Authentication using curl command:

curl -L --digest -u username:password http://xx.xx.xx.xx/digest

If you see You're successfully authorized, authentication is working correctly.

Key Differences Between Basic and Digest Authentication

• Feature: Digest Authentication is more secure than Basic Authentication.
• Password Transmission: While Basic Authentication sends as Base64 (plaintext), Digest Authentication sends as a hashed value.
• Replay Attack Risk: Digest Authentication is lower due to its nonce mechanism.
• Browser Support: While Basic Authentication is widely supported, Digest Authentication is less common.
• Others: - Digest Authentication is a more secure alternative to Basic Authentication because Basic only uses HTTPS.

Conclusion

Both Basic and Digest Authentication provide ways to restrict access to web resources. Basic Authentication is easy to implement but should always be used with HTTPS to prevent credential exposure. Digest Authentication offers better security through hashing and challenge-response mechanisms, making it a more secure choice for sensitive data.
If you're working with an Apache web server, implementing these authentication methods is straightforward and enhances security for restricted resources.

Reference

• https://qiita.com/miyuki_samitani/items/ccf9217a058019ca8d59
• https://atmarkit.itmedia.co.jp/flinux/rensai/linuxtips/699apachedigest.html