4

I found many questions on stackoverflow which has a mention about digest authentication. I could not find on how does the digest authentication prevent replay attacks? I use the fiddler tool to intercept the http request to the servers. I used the same tool for replaying the requests to the server but the server asked for authentication.

I need to understand exactly on how prevention of replay attack is achieved. How the server is able to detect any replay of http requests?

Any links/resources would be appreciated.

Nick Johnson
  • 100,655
  • 16
  • 128
  • 198
Anand Patel
  • 6,031
  • 11
  • 48
  • 67

1 Answers1

8

Digest authentication prevents replay attacks by using a server-specified nonce. The server generates a random nonce when the client attempts to make an unauthenticated request, client has to incorporate the nonce into its response. It's up to the server to manage valid nonces, and invalidate them when they've been used, to prevent replays.

Nick Johnson
  • 100,655
  • 16
  • 128
  • 198
  • Wiki has a good write-up on the process. Note that this only prevents replay attacks *if* the server supports this optional operation but a downside of this process is that the server is never authenticated. Note that this does not prevent (thereafter) session-hijacking once authenticated. https://en.wikipedia.org/wiki/Digest_access_authentication – Darrell Teague Jul 10 '17 at 17:37