1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most...
-
Upload
kory-simpson -
Category
Documents
-
view
216 -
download
4
Transcript of 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most...
![Page 1: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/1.jpg)
1
Basic Authentication
Herng-Yow Chen
![Page 2: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/2.jpg)
2
Outline Explains HTTP authentication Delve into the most common form of
HTTP authentication, basic authentication.
The next lecture explains a more powerful techniques called digest authentication.
![Page 3: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/3.jpg)
3
Authentication
Authentication means showing some proof of your identification, actually some proof that you claim to be.
HTTP provides a native challenges / response framework to make it easy to authenticate users.
![Page 4: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/4.jpg)
4
Simplified challenge/response Authentication
serverclient
InternetRequestPlease give me the internal sales forecast.
serverclient
InternetChallenge
You requested a secretFinancial document.Pleasetell me your username and password
serverclient
InternetAuthorization
Please give me the internal sales forecast.Here is my username andPassword:”******”
serverclient
InternetSuccess
OK.You have access right.Here is the document.
(Ask user for password)
![Page 5: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/5.jpg)
5
Authentication Protocols and Headers
Phase Header Method/Status
Request GET
Challenge WWW-Authenticate 401 Unauthorized
Authorization Authorization GET
Success Authorization-Info * 200 OK
Four phases of authentication
If the secret credentials don’t match, the server can challenge the client again or generate an error.
![Page 6: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/6.jpg)
6
Basic authentication example
serverclientGET /family/jeff.jpg HTTP/1.0
HTTP/1.0 401 Authorization requiredWWW-Authenticate: Basic realm=“Family”
GET /family/jeff.jpg HTTP/1.0Authenticate: Basic Ydre3lkL56H7gdffvh
HTTP/1.0 200 OKContent-type: img/jpeg…<image data included>
(a)
(b)
(c)
(d)
![Page 7: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/7.jpg)
7
Security realms in a web server
server
/
Jeff.jpg brian.jpg
familyIndex.htmlcorporate
financialspress
pr1.html pr2.html Sales-forecast.xls
Family realm
Corporate financials realm
![Page 8: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/8.jpg)
8
Basic authentication headers
Challenge/Response
Header
Challenge (server to client)
WWW-Authenticate: Basic realm=Quoted-realm
Response (client to server)
Authorization: Basic base64-username-and-password
![Page 9: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/9.jpg)
9
Base-64 Username/Password Encoding
username
passwd!(a) Prompt for username and password
(b) Pack username and password with colon
(c) Base 64 encode
(d) Send authorization
Brian-tootyOw! Brian-tooty:Ow!
BASE64ENC(brian-totty:Ow!) YnJpYW4tdG90Hk6T3ch
serverclient
GET /family/jeff.jpg HTTP/1.0Authorization: Basic YnJpYW4tdG90Hk6T3ch
![Page 10: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/10.jpg)
10
Base-64 Encoding
Takes a sequence of 8-bit bytes and segments the bit streams into 6-bit chunks.
Base-64 alphabet 64 alphabets: A-Z, a-z, 0-9, +, /
The 65th alphabet = for padding http://www.freesoft.org/CIE/RFC/2065
/56.htm http://tw2.php.net/base64_encode
![Page 11: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/11.jpg)
11
Proxy authentication
Authentication also can be done by intermediary proxy servers.
Some organizations use proxy server to authenticate users before letting them access servers, LANs, and wireless network.
Proxy servers can be a convenient way to provide unified access control across an organization’s resources, because access policies can be centrally administered on the proxy server.
The first step in this process is to establish the identify via proxy authentication.
![Page 12: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/12.jpg)
12
Web server versus proxy authentication
Web server Proxy serverUnauthorized status code:401
Unauthorized status code:407
WWW-Authenticate Proxy-Authenticate
Authenticate Proxy-Authenticate
Authenticate-Info Proxy-Authenticate-Info
![Page 13: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/13.jpg)
13
The security flaws of basic authentication
Base-64 encoding just obscures the username and password but encrypts them in a secure form.
![Page 14: 1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8ed/html5/thumbnails/14.jpg)
14
For More Information
http://www.ietf.org/rfc/rfc2617.txt “HTTP Authentication: Basic and Digest
Access Authentication” http://www.ietf.org/rfc/rfc2616.txt
“Hypertext Transfer Protocol -- HTTP/1.1”