Basic authentication is convenient and flexible but completely insecure. Usernames and passwords are sent in the clear, and there is no attempt to protect messages from tampering. The only way to use basic authentication securely is to use it in conjunction with SSL.
Digest authentication was developed as a compatible, more secure alternative to basic authentication. We devote this chapter to the theory and practice of digest authentication. Even though digest authentication is not yet in wide use, the concepts still are important for anyone implementing secure transactions.
Digest authentication is an alternate HTTP authentication protocol that tries to fix the most serious flaws of basic authentication. In particular, digest authentication:
Never sends secret passwords across the network in the clear
Prevents unscrupulous individuals from capturing and replaying authentication handshakes
Optionally can guard against tampering with message contents
Guards against several other common forms of attacks
Digest authentication is not the most secure protocol possible. Many needs for secure HTTP transactions cannot be met by digest authentication. For those needs, Transport Layer Security (TLS) and Secure HTTP (HTTPS) are more appropriate protocols.
However, digest authentication is significantly stronger than basic authentication, which it was designed to replace. Digest authentication also is stronger than ...