One option to authenticate a client with a server is referred to as digest access authentication, which is a challenge-response system in which a shared secret between the client and the server are utilized to authenticate the client with the server. Digest access authentication improves upon earlier versions of HTTP authentication, in which users provided passwords that were either not encrypted when sent to a server, leaving them vulnerable to capture by attackers, or encrypted but sent in an expensive, ongoing, secure sockets layer (SSL) session.
The Internet Engineering Task Force (IETF) has created protocols for digest access authentication, as for example found in the Request For Comments (RFC) 2069, “An Extension to HTTP: Digest Access Authentication”, January 1997, and subsequently in RFC 2617, “HTTP Authentication: Basic and Digest Access Authentication”, the contents of both of which are incorporated herein by reference.
In both RFC 2069 and RFC 2617, a shared secret such as a client's password is hashed with other information and provided in response to a challenge. The server can then utilize the same shared secret, which it has stored previously, to create a value that is compared to the response provided by the client in order to ensure that the client is authentic. In particular, if the value created at the server matches the response sent by the client, the client is authenticated.
The need to store shared secrets and associated information, such as user names and passwords, for various service providers may be cumbersome and also provide a security risk through the requirement to store such information.