HTTP Authentication: Basic and Digest Access Authentication

Slides:



Advertisements
Similar presentations
Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Advertisements

1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Authentication Applications The Kerberos Protocol Standard
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digest Authentication Herng-Yow Chen. 2 Outline Theory and practice of digest authentication. The improvement of Digest Authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Securing web applications using Java EE Dr Jim Briggs 1.
Authentication & Kerberos
Internet Security Association & Key Mana gement Protocol CNET 이동재.
WEB2P security Java web application security Dr Jim Briggs.
SIP Security Matt Hsu.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Securing Squid (Proxy) Using Digest Authentication.
Cookies & Friends.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Mobile and Wireless Communication Security By Jason Gratto.
Remotely authenticating against the Service Framework.
HTTP The HyperText Transfer Protocol. Objectives Introduce HTTP Introduce HTTP support in.NET.
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
SIP Security BY, Vivek Nemarugommula. vulnerabilities Registration Hijacking.
HTTP Extension Framework Name: Qin Zhao Id:
Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification.
Department of Computer Science & Engineering San Jose State University
SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, Rifaat Shekh-Yusef - SIP Digest Auth.
Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
PHP-based Authentication
Dept. of Computer Science
Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.
Web Server Design Assignment #4: Authentication Due: 04/14/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein.
Krerk Piromsopa. 1 Department of Computer Engineering. Chulalongkorn University. Web Application Generic Issues.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.
Security Management in Web Applications. We all know this page...
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Port Based Network Access Control
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
MQTT-255 Support alternate authenticaion mechanisms
Cryptography and Network Security
Hypertext Transfer Protocol
PPP – Point to Point Protocol
Web Server Design Assignment #4: Authentication
SIP Authentication using CHAP-Password
Web Server Design Week 13 Old Dominion University
CIS5930 Internet Computing
Web Server Design Week 13 Old Dominion University
Web Server Design Week 13 Old Dominion University
Chinese wall model in the internet Environment
Web Server Design Week 11 Old Dominion University
Web Server Design Week 12 Old Dominion University
Web Server Design Week 12 Old Dominion University
Presentation transcript:

HTTP Authentication: Basic and Digest Access Authentication rfc 2617

Contents Access Authentication Framework Basic Access Authentication Digest Access Authentication Specification of Digest Headers WWW-Authentication header Authorization Request header Authentication-Info header Digest Operation Example

Access Authentication Framework Simple challenge-response authentication mechanism Token – user identifying information Realm directive – protection space Credential Checksum & Hash

Basic Access Authentication Authentication with user ID/password Cleartext based mechanism No encryption method

Digest Access Authentication 목적 BAA의 취약점을 보완(flaws of cleartext) No message encryption Overall Operation Simple challenge-response paradigm Challenge use nonce value Response contains a checksum Default, MD5 Username, password, given nonce value, HTTP method, requested URI

Specification of Digest Headers WWW-Authentication header 서버가 access-protected object에 대한 request를 수신했을 때, acceptable Authorization header가 없을 경우, 전송 Authorization Request header 서버로부터 WWW-Authentication header를 수신한 후 다시 access를 요청하기 위해 전송 Authentication-Info header 성공적인 인증을 위해 서버에 의해 전송되는 정보

WWW-Authentication header 1/3 challenge = "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ opaque ] |[ stale ] | [ algorithm ] | [ qop-options ] | [auth-param] ) domain = "domain" "=" <"> URI ( 1*SP URI ) <"> URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token ) qop-options = "qop" "=" <"> 1#qop-value <"> qop-value = "auth" | "auth-int" | token

WWW-Authentication header 2/3 Realm 인증될 사용자의 name, password Nonce Server-specified data string Uniquely generated at 401 response is made Base64 or hexadecimal data recommended Implementation dependent Opaque to client Opaque 서버에서 생성된 값 클라이언트의 Authorization header에 그대로 포함되어 돌아옴 Stale Previous request의 nonce값이 잘못되어 있음을 나타냄 TRUE – nonce값이 잘못되었을 경우 (username/password는 정상이라 판단) FALSE, TRUE와 다른 값, stale directive가 없는 경우 – username/password가 비정상

WWW-Authentication header 3/3 Algorithm Digest와 checksum에 쓰인 알고리즘 Default, MD5 KD(secret, data) Data를 secret을 이용해 digest한 문장 H(data) Data에 checksum 알고리즘을 적용해 얻은 문장 Example (MD5) H(data) = MD5(data) KD(secret, data) = H(concat(secret, “:”, data)) Qop-options Option 필드(back compatibility) Quoted string Quality of protection Example “Auth” – authentication “Auth-int” – authentication with integrity protection Auth-param For extension

Authorization Request header 1/2 credentials = "Digest" digest-response digest-response = 1#( username | realm | nonce | digest-uri | response | [ algorithm ] | [cnonce] | [opaque] | [message-qop] | [nonce-count] | [auth-param] ) username = "username" "=" username-value username-value = quoted-string digest-uri = "uri" "=" digest-uri-value digest-uri-value = request-uri ; As specified by HTTP/1.1 message-qop = "qop" "=" qop-value cnonce = "cnonce" "=" cnonce-value cnonce-value = nonce-value nonce-count = "nc" "=" nc-value nc-value = 8LHEX response = "response" "=" request-digest request-digest = <"> 32LHEX <"> LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"

Authorization Request header 2/2 Opaque/algorithm WWW-Authentication header의 값 Response 32 hex digits의 계산된 결과 사용자가 password를 알고 있음을 증명 Username Realm에서의 username Qop Quality of protection Optional field (backward compatibility) Request-digest에 영향 WWW-Authentication header에 명시되었을 경우, 반드시 포함 Cnonce WWW-Authentication에 qop가 있는지에 따라 포함여부 결정 Plaintext attack을 방지하기 위한 목적 Nonce-count 동일 nonce를 이용한 request의 가능한 회수를 지정 Replay attack을 방지하기 위한 목적 Auth-param For extension Request-digest rfc 참조

Authentication-Info header AuthenticationInfo = "Authentication-Info" ":" auth-info auth-info = 1#(nextnonce | [ message-qop ] | [ response-auth ] | [ cnonce ] | [nonce-count] ) nextnonce = "nextnonce" "=" nonce-value response-auth = "rspauth" "=" response-digest response-digest = <"> *LHEX <"> Nextnonce 다음 challenge 시 이용하거나 또는 nonce를 변경하기 위한 필드 명시된 경우, 다음 request 시 Authorization header를 생성할 때 이용 Message-qop Quality of protection 명시된 경우, 반드시 필요함

Digest Operation Authorization Request Header로부터 Username에 해당하는 password를 이용해 클라이언트와 동일한 알고리즘을 적용하여 얻은 결과를 Request-digest 값과 비교 H(A1)을 알고 있으면 cleartext password를 몰라도 가능 H(A1) = H(unq(username-value) “:” unq(realm-value) “:” password) Example Username=“Mufasa” Realm=myhost@testrelam.com Password=“Circle Of Life” H(A1)=H(Mufasa:myhost@testrealm.com:Circle Of Life) Session WWW-Authentication challenge를 수신하는 시간 간격 동안 유지

Example Environmental parameters Operation URI-http://www.nowhare.org/dir/index.html Username – “Mafasa” Password – “Circle Of Life” Operation 1. Client request 2. No Authorization header is sent, server responds with 3. Client responds with a new request, including Authorization header 2. WWW-Authentication Header HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41" 3. Authorization Request Header Authorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.