Thursday, December 03, 2009

PHP: Generation of MD5 hash for HTTP digest access authentication

HTTP Digest access authentication is one of the agreed methods a web server can use to negotiate credentials with a web user (using the HTTP protocol). Digest authentication is intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password in plaintext over the network. Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis.

For example, lets assume that we want to allow a user called "adminuser" access a realm called "Admin Realm" with a password "secretpassword". Using php command the MD5 hash for this can be generated using:php -r 'echo MD5("adminuser:Admin Realm:secretpassword")."\n";'This gives the following MD5 hash:3228e0b5f8ae5ffb249d16125baffe63Therefore, for example when using Zend_Auth in Zend Framework, a file e.g. 'files/passwd.txt' with the username,realm and password that has to go into a resolver Zend_Auth_Adapter_Http_Resolver_File can containadminuser:Admin Realm:3228e0b5f8ae5ffb249d16125baffe63


In case of basic authentication, in 'files/passwd.txt' we would have password in a plain textadminuser:Admin Realm:secretpassword