Can I use an already MD5 encoded password in Digest Authentication

7
votes

I have MD5 hashes of passwords in a database that I want to use against HTTP AUTH DIGEST. But in reading the docs, it looks like the digest hash contains a hash of the username,realm and plaintext password. Is there any way to use the MD5 hash of the password in this situation?

4
hashpasswordsmd5digest-authentication

4 Answers

6
votes

No. If the hash they need is generated like so:

MD5(username + realm + password)

You are out of luck.

If they are hashing the password like so:

MD5(MD5(password) + username + realm)

You'd be able to do that with just the hashed password. But it doesn't sound like that's what's going on.

6
votes

No, you have to store in the tables the HA1 hash of Digest and use that for other types of auth (forms and Basic). See here: Storing password in tables and Digest authentication

4
votes

No, this is not possible. The whole point of digest authentication is to avoid replay attacks, i.e. were somebody has only a hashed version (of some authentication data) rather than the real data.

Not only is it a hash of username, real, and plaintext password, but also a nonce, which will change every time. So you really need the plaintext password.

1
votes

No. In digest authentication, the password is hashed with a challenge, there is no way to make it work with another hash.

Basic auth over HTTPS is more secure and it should work with your hashed password.