Re: [squid-users] Questions on research into using digest auth against MS AD2003

From: Chuck Kollars <>
Date: Sat, 1 Nov 2008 19:49:57 -0700 (PDT)

> > ... Digest authentication is a hashed authentication scheme,
> > exchanging one-time hashes instead of passwords on the wire. ...

Please excuse what may be a real dumb question; I'm trying to grok how Digest authentication actually works with Squid, and this doesn't seem to me to quite add up. My current understanding is as follows:

"One-time" generally refers to the 'nonce' (and 'cnonce') used by challenge-response authentication protocols. But verifying the nonce-hashed-by-password would require using the actual original cleartext password, something proxies don't have (and can't obtain reliably yet securely).

So proxies like Squid instead use the H{username:realm:password} field (which was originally intended for use mainly for identification). Most importantly this H(A1) field that Squid uses is the same every time (since Squid is always in the same 'realm'); it's *not* "one-time" in the sense of never ever repeating.

What's wrong with this picture?

thanks! -Chuck Kollars

Received on Sun Nov 02 2008 - 02:50:08 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 02 2008 - 12:00:00 MST