why is supporting digest authentication necessary instead of other more secure ways?



  • Why is supporting digest authentication necessary instead of other more secure ways like applying non-reversible transformation to password to encrypt them? Is it because the receiving end cannot process and verify?



  • Digest authentication is a specific algorithm to do authentication, not a storage method for passwords. So there is no "digest authentication ... instead of ... non-reversible transformation". Comparing one with the other is like comparing streets with cars.

    Digest authentication requires though to store passwords (or something equivalent which can also be used for authentication) in a reversible way. So the real question is, why digest authentication is still used, even though it is known to be vulnerable against leaks of the stored passwords.

    And the answer for this is, that security decisions are usually a trade-off, in case of digest authentication between securing passwords on the server vs. securing passwords in transit. Digest authentication can protect password on transit even if the connection is not encrypted, i.e. no TLS or similar used. Plainly sending username and password is instead not protected in this case. And there are still protocols which heavily rely on unencrypted connections, like SIP (voice over IP). In fact digest authentication is the standard authentication method defined for SIP.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2