WEBVTT 00:00.470 --> 00:02.660 One of the videos that I've included before. 00:02.660 --> 00:04.670 This lecture is about hashing. 00:05.240 --> 00:09.470 Now, I have taken that video from our intensive ethical hacking course. 00:09.860 --> 00:15.500 So the reason why I decided to include the hashing video was because hashing is something which is very 00:15.500 --> 00:23.330 important that you understand, not just for security, but also for the next Http authentication, 00:23.330 --> 00:27.740 which is digest authentication, which relies completely on hashing. 00:28.580 --> 00:35.360 So before we go into the Http digest authentication, let's again revise the basic authentication and 00:35.360 --> 00:37.190 one of the fundamental flaws of that. 00:37.880 --> 00:38.960 So. 00:40.290 --> 00:47.140 One of the things again, the client sends the get request for slash admin page. 00:47.160 --> 00:56.130 Now as the admin page is having the basic authentication method, so the server sends the authenticate 00:56.130 --> 00:59.490 header with the basic authentication type. 01:00.680 --> 01:08.240 And in order for client to verify, the client actually sends the base64 encoded value of username and 01:08.240 --> 01:08.960 password. 01:10.200 --> 01:16.320 Now, we've already seen that if a hacker is sniffing the traffic, then he can actually get the base64 01:16.500 --> 01:20.640 encoded value and can easily decode it within few minutes. 01:21.210 --> 01:26.340 So, in fact, even if you have a pen and paper, you can actually decode the base64 value within a 01:26.340 --> 01:27.180 few minutes. 01:27.360 --> 01:32.370 So this was one of the fundamental flaws of the Http basic authentication. 01:32.370 --> 01:39.750 And this is why if you want to implement basic authentication, then try to use it on top of SSL. 01:41.790 --> 01:45.450 So now let's talk about digest authentication. 01:47.360 --> 01:56.030 Now, one of the reasons of digest authentication was to provide an advantage over the basic authentication. 01:56.510 --> 02:03.950 So again, in digest authentication, the first step remains the same, where the client sends a get 02:03.950 --> 02:06.110 request for slash admin page. 02:07.370 --> 02:11.330 Now in this second response, which is the 401. 02:11.330 --> 02:18.680 As similar to basic authentication here, you see the realm has changed from basic to digest, and there 02:18.680 --> 02:21.650 is two more values that have been added generally. 02:21.650 --> 02:23.270 One is the nouns and one is the. 02:26.620 --> 02:29.080 Now in the third request. 02:30.270 --> 02:36.450 If you see in the response generally the base 64 encode which the. 02:39.030 --> 02:43.080 Basic authentication used to send now instead of this. 02:43.500 --> 02:46.050 This is basic in digest. 02:46.410 --> 02:50.970 It sends the MD5 digest or I would say MD5 value. 02:51.270 --> 02:53.370 So we have already seen that the. 02:54.560 --> 02:58.230 Hash value cannot be a two way function. 02:58.230 --> 02:59.790 It is just a one way function. 03:01.190 --> 03:06.440 Now the question is how the hash value is calculated in digest authentication. 03:08.320 --> 03:09.580 So let's see. 03:09.700 --> 03:12.340 So the first step generally that happens is. 03:14.020 --> 03:18.610 So first the username, plus the password. 03:20.260 --> 03:20.980 Plus the. 03:22.750 --> 03:23.140 Erin. 03:27.090 --> 03:28.110 Are calculated. 03:28.110 --> 03:34.740 Let's say this is H1 and the MD5 of these three things are taken. 03:35.490 --> 03:40.860 Then there is a H2 value that is calculated, which is the Uri. 03:45.720 --> 03:50.240 As a Uri plus the request method. 03:54.390 --> 04:03.300 So you or I will be slash admin and request method would be get and the MD5 of this is taken. 04:04.460 --> 04:12.380 Now, once H1 and H2 are calculated, then both the MD5 value. 04:12.410 --> 04:17.540 So say MD5 of H1. 04:20.230 --> 04:22.960 MD5 of H2. 04:24.870 --> 04:27.990 Is taken and then a nonce value is added. 04:30.660 --> 04:40.170 And then for all of these three things, one more MD5 hash is taken and that MD5 hash goes as a response. 04:42.110 --> 04:43.250 To the server. 04:48.460 --> 04:53.140 Now, if you're wondering about what a nonce value is. 04:53.140 --> 04:58.780 So there is a concept called as nouns, which is included in the digest authentication. 04:58.780 --> 05:02.260 So basically this is used to prevent replay attacks. 05:03.340 --> 05:12.160 So let's say a hacker captures this response and after one hour, he decides to send the same response 05:12.160 --> 05:13.300 back to the server. 05:13.930 --> 05:21.220 Now, as the username, password and realms are correct, ideally server should be able to verify it. 05:21.980 --> 05:24.110 So this is one of the flaws. 05:25.020 --> 05:27.690 So what happens in digest authentication? 05:27.810 --> 05:34.770 Nonce value is added and this nonce value keeps on changing every interval. 05:35.040 --> 05:41.460 So even if Hacker captures this particular request and replays it, after half an hour, he won't be 05:41.490 --> 05:46.170 able to get the authentication because the nonce value has changed. 05:46.320 --> 05:49.590 And because the nonce value has changed the whole. 05:50.910 --> 05:51.600 MD5. 05:51.630 --> 05:54.600 The whole MD5 value has also changed. 05:54.960 --> 05:59.100 So this is one of the ways in which the digest authentication works. 06:00.420 --> 06:09.390 Now, generally as far as Nginx plus is concerned, it does not really support the Http digest authentication. 06:09.390 --> 06:16.500 So we will not be including the practical part of digest authentication for this course. 06:17.760 --> 06:22.440 However, just for knowledge purpose, I decided to include digest authentication. 06:22.440 --> 06:26.810 So if you're using Apache, then you can actually implement the digest authentication there. 06:27.890 --> 06:34.610 So I hope the basic overview concept of digest authentication is clear to you, and the difference between 06:34.610 --> 06:36.590 a basic and digest is also clear. 06:37.510 --> 06:41.950 So I hope this video has been informative for you and I'd like to thank you for viewing.