Question

I am implementing an API in rails and would like to use HTTP digest authorization as it is more secure than basic authorization. How would one achieve this if my passwords are stored in the database as a one way cryptographic hash.

Was it helpful?

Solution

Honestly? Don't bother. If you're going to use Digest over HTTP, you might as well be using forms or basic auth. HTTPS is the solution. Using Digest is still totally insecure (it uses weak hashing and it provides no defense against MitM attacks).

HTTPS is not hard and without it you are going to have a very hard time securing your application.

OTHER TIPS

The only way to use digest authorization with hash values stored on the server is to duplicate the hash algorithm on the client to turn the user's password into the hash, which then basically becomes the new password (shared secret key).

If you used a salt when generating the hash values, you'll need to use the same salt on the client, which may prove difficult.

As others have suggested, consider using HTTPS instead. You can then send the passwords in plain text from the client to the server and rely on HTTPS for the end-to-end protection. HTTPS provides both encryption and authentication, which closes the loop.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top