Click here to Skip to main content
13,287,116 members (57,830 online)
Click here to Skip to main content
Add your own
alternative version


10 bookmarked
Posted 24 Oct 2008

Digest Calculator

, 24 Oct 2008
Rate this:
Please Sign up or sign in to vote.
This article explains a simple way of implementing digest protocol in C#. A sample application is provided which shows step by step digest calculation.


This article explains a simple way of implementing digest protocol in C#. A sample application is provided which shows how it is calculated in a step by step manner.


In HTTP protocol for authentication, we use different types of protocols: basic, digest and Kerberos.

1. Basic Authentication

This is most unsecured because it uses plain text transfer of both userid and password to the server.

2. Digest Authentication

This method provides safety up to a certain level. The password is not passed by the client, instead server and client generate a 32 bit key with that password is hashed by a defined algorithm. The communication is attribute value strings and lots of parameters are optional. Due to this, it is vulnerable for middle level hackers who can hack the string and alter it with basic authentication or remove some of the digest optional values.

3. Kerberos

This is considered one of the most secured ways. Authentication is not done in one or two steps. The challenge and response is a process of few steps with tickets for each stage. If the communication breaks for some reason, it has to start from the first stage. Due to this, vulnerability is less. But the process is a long one.

In this article, we talk about digest protocol and how we implement it using .NET Framework 3.5.


Here we talk about server side handling of protocol only. First the request is sent by the server with these parameters.

Realm=Name of the realm
Nonce=Generated every time a 32 bit  hexadecimal representation of character
Stale=true/false (is it repeated call or 1<sup>st</sup> time call)
QOP=auth (another method is auth-integer)
RealM="Test",Nonce="ed5e5b69e46f3adc79316c573cb008cb",State="false", Algorithm="MD5",

The client receives the information and it will prompt user for userid and password. User will be giving her/his user id and password. Then the user will press login. When the user presses login, the application will do hashing with the given and some additional parameters. It will send the hashed information and parameter back to the server.

The password will not be sent back by the client, instead it will MD5 hash the password with given parameters and the generated parameters. Now the server has to use the data sent by the client. In addition to that, we have to get the password for the userid from the SQL database. It is quite simple to get the password from Database using the userid. The method name is implementation specific, in my case it’s “DESCRIBE”.

Now you have client given parameters including userid and we retrieved the password from the database. Now we have to apply the algorithm.

Step 1

Separate the parameters sent by the client and store it into named variables. In the sample, we are doing that with:

private void SplitResponse(String strResponse, out String strUserName,
    out String StrSplResponse, out String strRealm,out String strURI,
    out String strNonce, out String strCnonce, out String strNonceCount,
    out String strQop

Step 2

Have a hashing function that follows MD5 hashing:

private String GetHash(String strIn)

Step 3

Now we do algorithm implementation. Format the strings one by one.

To get A1:

UserName + ":" + Realm + ":" + Password

A1Hash = Hash the A1 value

To get A2:

CommandName + ":" + URI

A2Hash = A2 MD5 has it.

Now calculate the response:

A1Hash + ":" + CNonce + ":" + NonceCount + ":" + QOP + ":" + A2Hash

Now hash this response value and check with client return response, it should be equal means the user has entered the proper password and we can allow a token. Otherwise authentication is denied.

Sample Data Send by Client


Server code which will retrieve (using SQL server / any database):

  • Password: testpass
  • Method: DESCRIBE

The result response must be equal to “47aa3643329845a954a2d091422eb35f”.

I have attached a sample program which demonstrates how to implement MD5 hashing and digest authentication.


The sample solution can be used as a sample calculator when you want to implement it in another language or another technology. We can use this article as a step by step checking tool.


  • 24th October, 2008: Initial post


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Singapore Singapore
No Biography provided

You may also be interested in...

Comments and Discussions

GeneralMy vote of 4 Pin
quiit5-Apr-13 1:27
memberquiit5-Apr-13 1:27 
Generalthanks Pin
ASV1284-Jun-11 10:31
memberASV1284-Jun-11 10:31 
GeneralGreat Article Pin
shiva_everyou3-Jun-11 21:10
membershiva_everyou3-Jun-11 21:10 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.171207.1 | Last Updated 24 Oct 2008
Article Copyright 2008 by sri.krish
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid