Next: NTLM, Previous: CRAM-MD5, Up: Mechanisms
The DIGEST-MD5 mechanism is based on repeated hashing using MD5, which after the MD5 break may be argued to be weaker than HMAC-MD5, but supports more features. For example, authorization identities and data integrity and privacy protection are supported. Like CRAM-MD5, only a hashed password is transfered. Consequently, DIGEST-MD5 need access to the correct password (although it may be hashed, another improvement compared to CRAM-MD5) to verify the client response. Alas, this make it impossible to use, e.g., PAM on the server side.
In the client, this mechanism is always enabled, and require the
GSASL_AUTHID, GSASL_PASSWORD, GSASL_SERVICE, and
GSASL_HOSTNAME properties. If set, GSASL_AUTHZID and
GSASL_REALM will also be used.
In the server, the mechanism will invoke the GSASL_PASSWORD
callback, which may use the GSASL_AUTHID, GSASL_AUTHZID
and GSASL_REALM properties to determine which users' password
should be used. The server will then compare the client response with
a computed correct response, and accept the user accordingly.
Currently only the authentication quality of service is implemented. In other words, payload integrity or privacy protection are not supported. Consequently, there are no properties for the maximum buffer size, quality of protection, and cipher fields.