Can I use an already MD5 encoded password in Diges

2019-04-07 18:33发布

问题:

I have MD5 hashes of passwords in a database that I want to use against HTTP AUTH DIGEST. But in reading the docs, it looks like the digest hash contains a hash of the username,realm and plaintext password. Is there any way to use the MD5 hash of the password in this situation?

回答1:

No. If the hash they need is generated like so:

MD5(username + realm + password)

You are out of luck.

If they are hashing the password like so:

MD5(MD5(password) + username + realm)

You'd be able to do that with just the hashed password. But it doesn't sound like that's what's going on.



回答2:

No, you have to store in the tables the HA1 hash of Digest and use that for other types of auth (forms and Basic). See here: Storing password in tables and Digest authentication



回答3:

No, this is not possible. The whole point of digest authentication is to avoid replay attacks, i.e. were somebody has only a hashed version (of some authentication data) rather than the real data.

Not only is it a hash of username, real, and plaintext password, but also a nonce, which will change every time. So you really need the plaintext password.



回答4:

No. In digest authentication, the password is hashed with a challenge, there is no way to make it work with another hash.

Basic auth over HTTPS is more secure and it should work with your hashed password.