Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            LightWave Server: Digest authentication requires username in lower case

            Modified on Mon, 4 Nov at 1:29 PM

            Summary

            When using HTTP Digest Authentication to authenticate web service requests, authentication will fail if the username is not supplied in lower case.

            Advisory Release Date

            February 19, 2020

            Affected Versions

            All versions of LightWave Server

            Status

            This is a known restriction in LightWave Server. No fix is available or planned.

            Background

            HTTP Digest Authentication requires that the server store the user password using reversible encryption, i.e., the server must be able to decrrypt the user's password into clear text. LightWave Server uses PBKDF2 to store a non-reversible version of the user password.

            In order to implement Digest Authentication without reversible encryption, Lightwave Server stores the non-reversible Digest Authentication A1 digest when the user password is set, which is used later during authentication to construct the Request Digest. The A1 digest contains the username, which is converted to lower case when stored. This requires that the client application supply the username in lower case in order for authentication to succeed.

            Since there is no plan to implement password storage using reversible encryption in LightWave Server, the need for client applications to supply the username in lower case is a permanent restriction.

            Workaround

            Digest authentication is no longer the industry preferred method for HTTP authentication, because of the overhead required to implement it, and its use of the MD5 hash which is now considered weak. The preferred method is now Basic authentication over a TLS connection. While the Basic method is not secure when used over an unencrypted connection, when used over TLS, it is secure and performs better than Digest, especially when pre-authentication is used. We recommend using Basic authentication over TLS instead of Digest authentication. The --disable-digest-auth startup option, introduced in LightWave Server 1.0.9, may be used to disable Digest authentication and prevent the server from advertising that Digest authentication is available through the WWW-Authenticate header.

            If continued use of Digest authentication is desired, the HTTP client must provide the username in lower case.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0