Hypertext Transfer Protocol Digest Authentication Using Authentication and Key Agreement Version-2
RFC 4169, “Hypertext Transfer Protocol Digest Authentication Using Authentication and Key Agreement Version-2”, is an Informational document published in November 2005 by V. Torvinen, J. Arkko, M. Naslund. The canonical text is published by the RFC Editor.
Abstract
HTTP Digest, as specified in RFC 2617, is known to be vulnerable to man-in-the-middle attacks if the client fails to authenticate the server in TLS, or if the same passwords are used for authentication in some other context without TLS. This is a general problem that exists not just with HTTP Digest, but also with other IETF protocols that use tunneled authentication. This document specifies version 2 of the HTTP Digest AKA algorithm (RFC 3310). This algorithm can be implemented in a way that it is resistant to the man-in-the-middle attack. This memo provides information for the Internet community.
What “Informational” means
Published for the general information of the community. It does not define an IETF standard and carries no standards-track status.
The canonical text of RFC 4169 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 4168 The Stream Control Transmission Protocol as a Transport for the Session Initiation Protocol
- RFC 4170 Tunneling Multiplexed Compressed RTP
- RFC 4167 Graceful OSPF Restart Implementation Report
- RFC 4171 Internet Storage Name Service
- RFC 4172 iFCP - A Protocol for Internet Fibre Channel Storage Networking
- RFC 4165 Signaling System 7 Message Transfer Part 2 - User Peer- to-Peer Adaptation Layer
- RFC 4173 Bootstrapping Clients using the Internet Small Computer System Interface Protocol
- RFC 4164 RObust Header Compression : Context Replication for ROHC Profiles