Digest Authentication

Digest authentication is one of the standard methods that the server uses to validate identity information like username and password. It uses an HTTP protocol; applies MD5 cryptographic hashing with the usage of nonce values. The Digest authentication method is most definitely more secure than that of, for example, basic authentication. RFC is making further ways to use additional features to ensure more security of the method.

This authentication method allows confirming the identity of the user, afore sending confidential information concerning, for example, online banking transactions.

Digest authentication is implementing in the way of receiving all access requests from client devices by a network server and then sending those requests to a domain controller.

Before being sent, data is hashed or encrypted, so it is never transmitted as plaintext. Hash functions are related to checksums, check digits, fingerprints, and randomization functions, error-correcting codes, and cyphers.

How it works

A client sends requests with the username and password. The server's response is provided with the digest session key, a nonce, and 401 authentication request. The client responds with the scope composed of username:realm:password, encrypted using MD5.

The server exerts the username and realm to find the password in the database and then uses this password to create the MD5 key with username: realm: password_from_database.

The server then compares the generated MD5 key with the MD5 key provided by the client. Matching ensures authenticated. Otherwise, access is denied.

Advantages of HTTP digest authentication method

  • The password is not sent to the server as a plaintext
  • The password is not used directly in the digest, it is HA1 = MD5 (username: realm: password). This allows storing HA1 not a plaintext password.
  • The client nonce is introduced in RFC 2617 that makes possible to prevent threats.
  • Nonce attributes the client submits may be checked by the server due to timestamps the server nonce may contain.
  • The server is able to maintain a list of its nonce values being recently issued or used to prevent reuse.
  • Preventing replay attacks is also possible by applying the cryptographic hashing with the usage of nonce values.


  • The website does not control the UI that is performed for the end-user.
  • Security options in RFC 2617 are discretional. The quality-of-protection (qop) may not be specified by the server, so the client will have to manage in a less secured RFC2069 mode.
  • Digest access authentication is vulnerable to a MITM attack (man-in-the-middle). The attacker may require usage of the basic access authentication or legacy RFC2069 digest access authentication mode. In that case, the client won't be provided with a proper mechanism to verify the server's identity.
  • Passwords may be stored using reversible encryption instead of storing the digested value of the username, realm, and password.
  • The password or the digested username, realm and password must be recoverable. Therefore, storing passwords prevents the usage of a strong password hash, such as bycript.
  • Users can only access resources on the IIS server that has to belong to a domain. Their credentials can't be passed to another computer.
  • The Digest authentication method can be implemented only with Internet Explorer 5.0 or higher.