Start a conversation

LightWave Server: Digest authentication requires username in lower case

Summary

When using HTTP Digest Authentication to authenticate web service requests, authentication will fail if the username is not supplied in lower case.

Advisory Release Date

February 19, 2020

Affected Versions

All versions of LightWave Server

Status

This is a known restriction in LightWave Server. No fix is available or planned.

Background

HTTP Digest Authentication requires that the server store the user password using reversible encryption, i.e., the server must be able to decrrypt the user's password into clear text. LightWave Server uses PBKDF2 to store a non-reversible version of the user password.

In order to implement Digest Authentication without reversible encryption, Lightwave Server stores the non-reversible Digest Authentication A1 digest when the user password is set, which is used later during authentication to construct the Request Digest. The A1 digest contains the username, which is converted to lower case when stored. This requires that the client application supply the username in lower case in order for authentication to succeed.

Since there is no plan to implement password storage using reversible encryption in LightWave Server, the need for client applications to supply the username in lower case is a permanent restriction.

Workaround

Digest authentication is no longer the industry preferred method for HTTP authentication, because of the overhead required to implement it, and its use of the MD5 hash which is now considered weak. The preferred method is now Basic authentication over a TLS connection. While the Basic method is not secure when used over an unencrypted connection, when used over TLS, it is secure and performs better than Digest, especially when pre-authentication is used. We recommend using Basic authentication over TLS instead of Digest authentication. The --disable-digest-auth startup option, introduced in LightWave Server 1.0.9, may be used to disable Digest authentication and prevent the server from advertising that Digest authentication is available through the WWW-Authenticate header.

If continued use of Digest authentication is desired, the HTTP client must provide the username in lower case.









Choose files or drag and drop files
Was this article helpful?
Yes
No