Digest md5 response generation

Question

How to generate response field in client response for DIGEST MD5 challenge, I'am currently using rfc 2831 for reference

Challenge from server as per rfc 2831 example is:

realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
algorithm=md5-sess,charset=utf-8

response from client as per rfc 2831 example :

charset=utf-8,username="chris",realm="elwood.innosoft.com",
nonce="OA6MG9tEQGm2hh",nc=00000001,cnonce="OA6MHXh6VqTrRk",
digest-uri="imap/elwood.innosoft.com",
response=d388dad90d4bbd760a152321f2143af7,qop=auth

collected details are:

username=chris
password=secret
nonce=OA6MG9tEQGm2hh
nc-value=00000001
cnonce=OA6MHXh6VqTrRk
qop=auth
realm=elwood.innosoft.com
digesturi=imap/elwood.innosoft.com

Response I'm generating doesn't comply with that in rfc 2831 example at page 19

Formulations in rfc 2831

Let H(s) be the 16 octet MD5 hash [RFC 1321] of the octet string s.

Let KD(k, s) be H({k, ":", s}), i.e., the 16 octet hash of the string k, a colon and the string s.

Let HEX(n) be the representation of the 16 octet MD5 hash n as a string of 32 hex digits (with alphabetic characters always in lower case, since MD5 is case sensitive).

Currently i'am using following procedure:

A1 = { H(chris:elwood.innosoft.com:secret), ":", nonce-value, ":", cnonce-value }

online md5 generator

A1 = {eb5a750053e4d2c34aa84bbc9b0b6ee7:OA6MG9tEQGm2hh:OA6MHXh6VqTrRk}

A2 = { "AUTHENTICATE:", digest-uri-value } A2 = {AUTHENTICATE:imap/elwood.innosoft.com}

H(A1) = 54442ff1f394d9d0de1205cef4d9cebe

HEX(H(A1)) = 54442ff1f394d9d0de1205cef4d9cebe

HEX(H(A2)) = 15e3594677e51ade69715d1cb7d207ba

RESPONSE=HEX( KD ( HEX(H(A1)), { nonce-value, ":" nc-value, ":", cnonce-value, ":", qop-value, ":", HEX(H(A2)) }))

RESPONSE=HEX( KD ( 54442ff1f394d9d0de1205cef4d9cebe:OA6MG9tEQGm2hh:00000001:OA6MHXh6VqTrRk:auth:15e3594677e51ade69715d1cb7d207ba))

Response as per above procedure is:

26ef1190b643a36e879673066098379c

but response value as per rfc is :

d388dad90d4bbd760a152321f2143af7

Thus response generated above is different from one generated in rfc's example

what changes need to be carried out?

Onur · Accepted Answer · 2018-11-16T20:38:52.173

Sorry, RFC documentation is right, you just miscalculated the hash of A1.

Because, you converted hash value of "H(chris:elwood.innosoft.com:secret)" to hex string. But RFC just says "Let H(s) be the 16 octet MD5 hash".

Just, don't convert hash result to hex string and concatenate with this byte array hash result.

I hope this code helps to explain.

A1 = Md5Hash(Encoding.ASCII.GetBytes(username + ":" + realm + ":" + password))
     .Concat(
        Encoding.ASCII.GetBytes(
          ":" + nonce
        + ":" + cnonce
        + (authzid == null ? "" : (":" + authzid))))
     .ToArray();

score 0 · Answer 2 · answered Jan 15 '17 at 21:24

0

A1 calculation is wrong. The MD5 digest over chris:elwood.innosoft.com:secret in your case is 32-octet hexadecimal, 2 octets per original byte. In the RFC calculation it is 16-octet, 1 octet = 1 byte.

answered Jan 15 '17 at 21:24

user1428934

21
1
2

score -3 · Answer 3 · edited Apr 19 '23 at 11:50

-3

You have calculated response correctly and example in RFC2831 is not consistent.

edited Apr 19 '23 at 11:50

Adriaan

17,741
7
42
75

answered Nov 10 '16 at 11:10

Sourabh Coolkarni

1
1

Digest md5 response generation

26ef1190b643a36e879673066098379c

d388dad90d4bbd760a152321f2143af7

3 Answers3