Click here to Skip to main content
Click here to Skip to main content
Go to top

Digest Calculator

, 24 Oct 2008
Rate this:
Please Sign up or sign in to vote.
This article explains a simple way of implementing digest protocol in C#. A sample application is provided which shows step by step digest calculation.

Introduction

This article explains a simple way of implementing digest protocol in C#. A sample application is provided which shows how it is calculated in a step by step manner.

Background

In HTTP protocol for authentication, we use different types of protocols: basic, digest and Kerberos.

1. Basic Authentication

This is most unsecured because it uses plain text transfer of both userid and password to the server.

2. Digest Authentication

This method provides safety up to a certain level. The password is not passed by the client, instead server and client generate a 32 bit key with that password is hashed by a defined algorithm. The communication is attribute value strings and lots of parameters are optional. Due to this, it is vulnerable for middle level hackers who can hack the string and alter it with basic authentication or remove some of the digest optional values.

3. Kerberos

This is considered one of the most secured ways. Authentication is not done in one or two steps. The challenge and response is a process of few steps with tickets for each stage. If the communication breaks for some reason, it has to start from the first stage. Due to this, vulnerability is less. But the process is a long one.

In this article, we talk about digest protocol and how we implement it using .NET Framework 3.5.

Application

Here we talk about server side handling of protocol only. First the request is sent by the server with these parameters.

Realm=Name of the realm
Nonce=Generated every time a 32 bit  hexadecimal representation of character
Stale=true/false (is it repeated call or 1<sup>st</sup> time call)
Algorithm=MD5
QOP=auth (another method is auth-integer)
Example
RealM=”Test”,Nonce=”ed5e5b69e46f3adc79316c573cb008cb”,State=”false”, Algorithm=”MD5”,
    QOP=”Auth”

The client receives the information and it will prompt user for userid and password. User will be giving her/his user id and password. Then the user will press login. When the user presses login, the application will do hashing with the given and some additional parameters. It will send the hashed information and parameter back to the server.

The password will not be sent back by the client, instead it will MD5 hash the password with given parameters and the generated parameters. Now the server has to use the data sent by the client. In addition to that, we have to get the password for the userid from the SQL database. It is quite simple to get the password from Database using the userid. The method name is implementation specific, in my case it’s “DESCRIBE”.

Now you have client given parameters including userid and we retrieved the password from the database. Now we have to apply the algorithm.

Step 1

Separate the parameters sent by the client and store it into named variables. In the sample, we are doing that with:

private void SplitResponse(String strResponse, out String strUserName,
    out String StrSplResponse, out String strRealm,out String strURI,
    out String strNonce, out String strCnonce, out String strNonceCount,
    out String strQop

Step 2

Have a hashing function that follows MD5 hashing:

 private String GetHash(String strIn)

Step 3

Now we do algorithm implementation. Format the strings one by one.

To get A1:

UserName + “:” + Realm + “:” + Password

A1Hash = Hash the A1 value

To get A2:

CommandName + “:” + URI

A2Hash = A2 MD5 has it.

Now calculate the response:

A1Hash + “:” + CNonce + “:” + NonceCount + “:” + QOP + “:” + A2Hash

Now hash this response value and check with client return response, it should be equal means the user has entered the proper password and we can allow a token. Otherwise authentication is denied.

Sample Data Send by Client

username="test",realm="Test",nonce="ed5e5b69e46f3adc79316c573cb008cb",
    uri="http://localhost/test",cnonce="551b92b5cf688f737d655c8fa506364a",
    nc=00000001,response="47aa3643329845a954a2d091422eb35f",qop="auth"

Server code which will retrieve (using SQL server / any database):

  • Password: testpass
  • Method: DESCRIBE

The result response must be equal to “47aa3643329845a954a2d091422eb35f”.

I have attached a sample program which demonstrates how to implement MD5 hashing and digest authentication.

Calculation

The sample solution can be used as a sample calculator when you want to implement it in another language or another technology. We can use this article as a step by step checking tool.

History

  • 24th October, 2008: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

sri.krish

Singapore Singapore
No Biography provided

Comments and Discussions

 
GeneralMy vote of 4 Pinmemberquiit5-Apr-13 0:27 
Generalthanks PinmemberASV1284-Jun-11 9:31 
helped much
GeneralGreat Article Pinmembershiva_everyou3-Jun-11 20:10 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140916.1 | Last Updated 24 Oct 2008
Article Copyright 2008 by sri.krish
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid