The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

Slides:



Advertisements
Similar presentations
Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Advertisements

HTTP Authentication: Basic and Digest Access Authentication
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
WEB2P security Java web application security Dr Jim Briggs.
SIP Security Matt Hsu.
Hypertext Transfer Protocol Information Systems 337 Prof. Harry Plantinga.
Crawling The Web. Motivation By crawling the Web, data is retrieved from the Web and stored in local repositories Most common example: search engines,
HTTP HyperText Transfer Protocol Part 3.
POP3 Post Office Protocol v.3. Intro The Post Office Protocol (POP) is currently the most popular TCP/IP access and retrieval protocol. It implements.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Remotely authenticating against the Service Framework.
HTTP The HyperText Transfer Protocol. Objectives Introduce HTTP Introduce HTTP support in.NET.
USING PERL FOR CGI PROGRAMMING
Department of Computer Science & Engineering San Jose State University
SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, Rifaat Shekh-Yusef - SIP Digest Auth.
1 Caching in HTTP Representation and Management of Data on the Internet.
Web Database Programming Week 7 Session Management & Authentication.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
2/26/021 Pegasus Security Architecture Author: Nag Boranna Hewlett-Packard Company.
Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.
1-1 HTTP request message GET /somedir/page.html HTTP/1.1 Host: User-agent: Mozilla/4.0 Connection: close Accept-language:fr request.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Web Cache Consistency. “Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency.”
API Crash Course CWU Startup Club. OUTLINE What is an API? Why are API’s useful? What is HTTP? JSON? XML? What is a RESTful API? How do we consume an.
PHP Cookies. Cookies are small files that are stored in the visitor's browser. Cookies can be used to identify return visitors, keep a user logged into.
Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.
Web Server Design Assignment #4: Authentication Due: 04/14/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein.
Krerk Piromsopa. 1 Department of Computer Engineering. Chulalongkorn University. Web Application Generic Issues.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
December 14, 2000Securely Available Credentails (SACRED) - Framework Draft 1 Securely Available Credentials (SACRED) Protocol Framework, Draft Specification.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.
Web Protocols: HTTP COMP6017 Topics on Web Services Dr Nicholas Gibbins –
Security Management in Web Applications. We all know this page...
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Hypertext Transfer Protocol (HTTP) COMP6218 Web Architecture Dr Nicholas Gibbins –
Hypertext Transfer Protocol
Tutorial on Creating Certificates SSH Kerberos
API Security Auditing Be Aware,Be Safe
Secure Sockets Layer (SSL)
Hypertext Transfer Protocol
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Web Caching? Web Caching:.
Web Server Design Assignment #4: Authentication
Tutorial on Creating Certificates SSH Kerberos
Web Server Design Week 11 Old Dominion University
Web Server Design Week 12 Old Dominion University
SIP Authentication using CHAP-Password
Web Server Design Week 13 Old Dominion University
Web Server Design Week 13 Old Dominion University
Web Server Design Week 13 Old Dominion University
Web Server Design Week 11 Old Dominion University
Requests and Server Response Codes
Web Server Design Week 11 Old Dominion University
Web Server Design Week 12 Old Dominion University
Web Server Design Week 12 Old Dominion University
Presentation transcript:

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones

Updated FSM

Authentication FSM

Authentication: Basic 1.Split the Authorization header, extracting the base64- encoded secret 2.Decode the base64-encoded secret, extract the username and password 3.Use MD5 to generate a one-way hash of the password supplied by the client 4.Use the username to find the hashed password known by the server 5.Compare the hashed value from #3 to #4 6.If they match, return If not, return 401 with WWW-Authenticate header

Authentication:Digest 1.Parse the Authorization header into key-value pairs 2.Determine if the nonce is stale, or invalid; if invalid, return 401; if valid, go on 3.Use the username to find the MD5-hashed secret known by the server MD5(username:realm:password), store it as A1 4.Calculate A2 based on the value of qop 1.If qop == “auth” then A2 = “:URI” 2.elsif qop == “auth-int” then A2 = “:URI:MD5(entity-body)” 5.Create a digest using the data provided by the client, mixed with the A1 calculated form the server, of the form MD5(A1:nonce:ncount:cnonce:qop:MD5(A2)) 6.Compare #5 with the “response” value provided by the client 7.If they match, return If not, return 401 with WWW-Authenticate header

Is the given nonce stale? 1.Extract the nonce used the client from the headers 2.base-64 decode it and split on whitespace to get the timestamp and the md5-hashed value of (timestamp:ETag:private-key) 3.use the given timestamp along with the ETag and private-key to generate an MD5-hashed value 4.If it is valid, continue; otherwise send a If the timestamp is not the current timestamp, the nonce is stale; send a 401 with stale=True 6.Otherwise, it is fresh; so continue to process

Completed Work Status 416 for bad ranges Authentication: Basic – Parse the WeMustProtectThisHouse! File – logging the username in Common Log Format – WWW-Authenticate Header with Basic and realm – Authorization header with Basic and realm – Comparison of secret supplied by client with one known by server – 200 OK if they match – 401 if they don’t, or if no challenge was made to begin with

Completed Work Authentication: Digest – Parse the WeMustProtectThisHouse! File – logging the username in Common Log Format – Can Parse Authorization Request Header with Digest username realm uri qop nonce nc opaque cnonce response

Completed Work Authentication: Digest – WWW-Authenticate Response header (401) realm domain qop nonce algorithm opaque – Authentication-Info Response header (200) qop rspauth nc cnonce 401 trumps in cases where Authentication is successful, but the URI has no representation GET/HEAD with Range header works with Authentication 400 for malformed directives, a URI in the request line that doesn’t match the uri directive, etc.

Work Remaining Authentication: Digest – WWW-Authenticate header stale – Authorization header nextnonce – qop type auth-int – algorithm type MD5Sess

Questions for Dr. Nelson The client doesn’t request MD5-sess, so when does the server use it (PUT and POST?) When does the client request auth-int, with PUT and POST? For the domain part of WWW-Authenticate, do we just list files or are directories considered valid resources too? For slow clients (or connections with high latency or low bandwidth), wouldn’t the nonce always be stale? What do we do with the cnonce? What do we do for content negotiation, 300, 301, 302 (i.e. items that have no effective ETag for use in a nonce)?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.