Question

In this part, you will be working with HTTP's Digest authentication mechanism. Assume that accessing a resource "/Public/CS/Home.png" on a web server results in the following (partial) response.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Mordor", nonce="03e2abb8a924e966bee59d41cef32851", opaque="4043168947418128"

Part 2A

Assuming that the user name is shemeka and the password is rlqy, the HTTP Authorization header line sent by the client (e.g., browser) following the above notification for authentication will be of the following form.

Authorization: Digest username="shemeka", response="", realm="Mordor", nonce="03e2abb8a924e966bee59d41cef32851", uri="/Public/CS/Home.png", opaque="4043168947418128"

What should be the value of the "response" field which currently is empty? Please do NOT include the quotation marks (i.e., ") in your answer. You must use lowercase hexadecimal digits in your answer, if applicable. [2 marks]

Part 2B

In order to safeguard against server compromises, the server stores a hash value that includes the password (and other things) and uses this hash value for authentication. In this particular example here, what is the hash value you expect the server to keep in its repository? You must use lowercase hexadecimal digits in your answer, if applicable. [2 marks]

Answer 1

ANSWER: Nonce is a random number used in cryptography Nonce number is once usable only - like an use and throw number The MD5 message digest algorithm is a famous hashing function MD 5 makes 128 bit or 16 bytes of hash value for the hash key being hashed MD 5 is written in terms of a 32 digit hexadecimal bits The 64 operations of MD5 are categorized into 4 rounds each having 16 operations per round It makes use of avalanche effect The syntax or format of the response field is made up of as follows: String HA1 String HA2 response MD5(String MD5 (username Realm PassWord).nonce: String MD5 (method digestURI)) steps for calculating the response value:

1. compute the MD5 hash value of the user name, authentication realm and password in combination 2. the response from the client is computed as a combination of HA1 results, server nonce, counter of the request, nonce of the client, the code for protection quality and the result from HA2 HA1 MD5("8688049: plugging in the values or applying the above equation, Part 2A) Response after MD5 hashing the response code of "7A5234B786329CAB5D6EFFF4421"becomes bfc7fd8930c8f1f94ba9bde3d78008c5e

Parts 2B, 2C) The password is encrypted and stored in a flat text fiel called htDigest file This htDigest file stores all the 3 entities like user name, password and the realm It follows the Apache HTTP server authentication scheme This is a hidden file and hence starts with a dot or period () HA1 MD5("8688049.Mordor:password') 8734ab23645e7532d9364a32b3e3dd3ed887