XMPP DIGEST-md5 Algorithm to compute the response

Question

Im reading stuff on XMPP authentication flow. I understood that the response is calculated on the client using a an algorithm that goes like this

1. Create a string of the form "username:realm:password". Call this string X.
2. Compute the 16 octet MD5 hash of X. Call the result Y.
3. Create a string of the form "Y:nonce:cnonce:authzid". Call this string A1.
4. Create a string of the form "AUTHENTICATE:digest-uri". Call this string A2.
5. Compute the 32 hex digit MD5 hash of A1. Call the result HA1.
6. Compute the 32 hex digit MD5 hash of A2. Call the result HA2.
7. Create a string of the form "HA1:nonce:nc:cnonce:qop:HA2". Call this string KD.
8. Compute the 32 hex digit MD5 hash of KD. Call the result Z.

And this is embedded in the response field in the structure.

An example of decoded challenge response is

  username="rob",realm="cataclysm.cx",nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk",nc=00000001,qop=auth,digesturi="xmpp/cataclysm.cx",response=d388dad90d4bbd760a152321f2143af7,charset=utf-8,authzid="rob@cataclysm.cx/myResource"

But my concern is, I havent seen anywhere how that particular response field is used on the server ? Is there any use-case that really uses this. Can someone please cite references/insights/implementations how the response field is used and how does it actually plays a role in determining the authenticity of the user.

Thanks!

Answer 1

Currently I'am working on Digest MD5 authentication mechanism and I'm using RFC 2831 for reference and answer to your question is server generates that response again at server's site and then compares it with the response field that was received from client if they match client gets authenticated else authentication fails.

Now the reason why such comparison takes place is once a string is hashed it cannot be reversed to a source string so server computes the hashed value and those values will be equal if source string supplied was same

If my answer does not clarify your doubt let me know