> > ... Digest authentication is a hashed authentication scheme,
> > exchanging one-time hashes instead of passwords on the wire. ...
Please excuse what may be a real dumb question; I'm trying to grok how Digest
authentication actually works with Squid, and this doesn't seem to me to quite
add up. My current understanding is as follows:
"One-time" generally refers to the 'nonce' (and 'cnonce') used by
challenge-response authentication protocols. But verifying the
nonce-hashed-by-password would require using the actual original cleartext
password, something proxies don't have (and can't obtain reliably yet
securely).
So proxies like Squid instead use the H{username:realm:password} field (which
was originally intended for use mainly for identification). Most importantly
this H(A1) field that Squid uses is the same every time (since Squid is always
in the same 'realm'); it's *not* "one-time" in the sense of never ever
repeating.
What's wrong with this picture?
thanks! -Chuck Kollars
