1. Understanding the Internet
The Basics

2. Topics DNS, TCP/IP URLs Dynamic Pages Caching and Proxies Cookies
Basic Security Mechanisms
The Goal: By the end of this lesson, you should be able to explain how the internet works, including details about each of the basic technologies used. You should be able to draw basic conclusions about how things can or cannot work on the web.

3. What happens when a link is pressed?
How Does It all Work?
What happens when a link is pressed?

4. HTML (HyperText Markup Language)
Web pages are written in HTML, which defines the style in which the page should be displayed.
<a href=" course syllabus</a>
Text written on the link
URL (the destination)

5. http://www.undergraduate. technion.ac.il/ catalog/facs009.html
DNS
HTTP Request
HTTP Response
technion.ac.il/ catalog/facs009.html
Web Server
catalog/facs009.html
File System

6. The Infrastructure (very brief)
IP Address, Domain Name Server, TCP/IP

7. Infrastructure
Warriors of the Net

8. IP Address and Port
The browser will ask for the page from the appropriate web server using the HTTP protocol
A web server is a program that can return resources
However, in order to request anything from the web server, the browser must know its IP address and the port on which the web server is listening
Intuitively, the domain name is like a person's name and the IP address is like his address
The port is like the “apartment number” (note: Web servers generally use the standard port number 80)

9. DNS (Domain Name Server)
Computers are configured to know the IP address of a DNS (Domain Name Server)
A DNS is a program that, when sent a domain name, returns the IP address of the domain.
the DNS either looks up the domain name in a list
or, the DNS asks a different DNS for the IP address
In order to use the DNS, the web browser creates a packet of information that contains
the address of the DNS,
its own IP address
the content of the request
Why?

10. How Does the Packet Get to Its Destination?
The computer sends it down the phone line (or Ethernet connection or it transmits it by radio to a base station which sends it down some wire, etc.).
The Internet is a net of computers all connected together by various cables
A computer, when it gets a packet, sees what computer number it is being sent to and passes it on in the general direction toward its destination
This way of passing on the packet is called the Internet Protocol (IP)

11. Getting the Actual Resource
After the IP address of the domain of the resource is received (from the DNS), the resource is requested from the web server in that domain
The request is written using a protocol called HTTP (Hyper Text Transfer Protocol)
The web server sees the URL requested and sends the resource back to the requester
The resource is split up into packets (of 512 bytes) and sent back to the requester
the protocol for sending packets is called Transmission Control Protocol (TCP)

12. Displaying the Web Page
The web browser puts the packets back together, in order
The page is displayed (by interpreting the style commands if it is an HTML page)

13. Resources and URLs

14. Resources
A resource is a chunk of information that can be identified by a URL (Universal Resource Locator)
A resource can be
A file, e.g., html, text, image
A dynamically created page (more about this later on)
What we see on the browser can be a combination of some resources
When an html page is displayed with images we are actually seeing several resources at once
How do we get them all?
How Many?

15. protocol://domain/path
Basic Syntax
protocol://domain/path
Basic Format of a URL
ftp://ctan.unsw.edu.au/tex-archive/misc.zip

16. Anchors and Parameters
URLs can also have
an anchor: This is used in order to define a link that takes the user to the middle of a page (instead of to the top). In order for this to work, the anchor must also be defined within the destination page
parameters: These are extra values that are passed along to the web server along with the path. (More about this when we discuss dynamic pages)
Anchor Example

17. Anchors and Parameters: Syntax
protocol://domain/path#anchor?parameters
A URL can also have both an anchor and parameters

18. var1=value1&var2=value2&var3=value3
Syntax of Parameters
Spaces are represented by “+”
Characters such as &,+,% are encoded in the form “%xx” where xx is the ascii value in hexadecimal; For example, “%” = “%25”
The inputs to the parameters are given as a list of pairs of a parameter and a value:
var1=value1&var2=value2&var3=value3

19. apples & bananas

21. Anchors and Parameters: Notes
Questions to think about:
When a URL with an anchor is requested is something different sent than when the URL is requested without an anchor?
When a URL with parameters is requested is something different sent than when the URL is requested without parameters?

22. protocol://domain/path
Relative Links
A URL in a web page is can be written with only a path (no protocol or domain)
The browser then figures out the complete location by considering the current location
Change the last file (if there is one) with the value of the relative path.
protocol://domain/path

23. Relative Links: Examples
Suppose we click on the link
<a href=“robes.html”>buy robes</a>
Where will we go, assuming we start at:

24. Notes A URL uniquely identifies a resource
Given a URL there is exactly one resource that corresponds to the URL (who determines which resource it is?)
A resource may not be uniquely identified by a single URL
several URLs can correspond to the same resource (example?)

25. Questions About Resources and URLs?

26. Dynamic Pages

27. Type Types of Dynamic Pages
Web-Server-Side: The Web Server dynamically creates the page as a response to the user’s request
Client-Side: The browser dynamically changes the resource that is returned

28. Web-Server-Side
Up until now, we have assumed that the web server returns a file that exists in its file system
Clearly, not every page on the internet can be implemented this way (example?)
A web server can actually run a program (with the parameters in the URL) and then return the result of the program.
such a page is called a "dynamic page"

29.
DNS
HTTP Request
HTTP Response
Execute a
Program
Managing
Web Data
Web Server

30. Web-Server-Side Technologies
Common tools for creating dynamic server-side pages
CGI (Common Gateway Interface)
Java Servlets, JSP – Java Server Pages
Microsoft ASP – Active Server Pages
PHP

31. Client-Side Dynamic Pages
Certain parts of a Web application can be executed locally, in the web browser
For example, some validity checks can be applied to the user’s input locally
The user request is sent to the server only if the input is valid
JavaScript, VbScript, AJAX are HTML-embedded scripting language for client-side programming
It is also possible to combines both server-side and client-side dynamic technologies
Example

32. Server-Side versus Client-Side
When must a dynamic page be server-side?
When is it better to use a client-side dynamic page?
What advantages do each kind of dynamic pages have? disadvantages?

33. Questions About Dynamic Pages?

34. HTTP

35. Common Protocols
In order for two remote machines to “understand” each other they should
‘‘speak the same language’’ and coordinate their ‘‘conversation’’
The solution is to use protocols, e.g.,
FTP: File Transfer Protocol
SMTP: Simpl Transfer Protocol
NNTP: Network-News Transfer Protocol
HTTP: HyperText Transfer Protocol

36. The HTTP "Conversation"
A Web Browser knows how to send an HTTP request for a resource
A Web Server is a program that listens for HTTP requests and knows how to send appropriate HTTP responses
There are 2 standard versions of HTTP: HTTP 1.0 and HTTP 1.1
We discuss HTTP 1.0

37. A Basic HTTP Session A basic HTTP session has four phases:
Client opens the connection (a TCP connection)
Client makes a request
Server sends a response
Server closes the connection
Who is the client?
Who is the server?

38. Stateless Protocol HTTP is a stateless protocol
Once a server has delivered the requested data to a client, the server retains no memory of what has just taken place
Server-side programming tools must provide a mechanism for maintaining states (e.g., cookies)

39. The Format of HTTP Requests and Responses
An initial line
In a request, the first line is a method
In a response, the first line is a status code
Zero or more header lines
A blank line, and
An optional message body (e.g., a file, query data, or query output)

40. Request (General Form)
method sp
URL sp
version cr lf
header :
value cr lf
0 or more header
lines
header :
value cr lf cr lf
Optional Entity Body

41. Example HTTP Request GET http://iew3.technion.ac.il HTTP/1.0
Method
GET HTTP/1.0
User-Agent: Mozilla/4.0
If-Modified-Since: Fri, 31 Dec :59:59 GMT

42. Example HTTP Request GET http://iew3.technion.ac.il HTTP/1.0
Resource
GET HTTP/1.0
User-Agent: Mozilla/4.0
If-Modified-Since: Fri, 31 Dec :59:59 GMT

43. Example HTTP Request GET http://iew3.technion.ac.il HTTP/1.0
HTTP Version
GET HTTP/1.0
User-Agent: Mozilla/4.0
If-Modified-Since: Fri, 31 Dec :59:59 GMT

44. Example HTTP Request GET http://iew3.technion.ac.il HTTP/1.0
User-Agent: Mozilla/4.0
If-Modified-Since: Fri, 31 Dec :59:59 GMT
Headers

45. Type of Browser Making the Request
Example HTTP Request
GET HTTP/1.0
User-Agent: Mozilla/4.0
If-Modified-Since: Fri, 31 Dec :59:59 GMT
Type of Browser Making the Request

46. Return resource only if it was modified after the given date
Example HTTP Request
GET HTTP/1.0
User-Agent: Mozilla/4.0
If-Modified-Since: Fri, 31 Dec :59:59 GMT
Return resource only if it was modified after the given date
(Why is this useful?)

47. Common Request Methods
GET returns the content of the indicated URL
POST treats the URL as an application and send some data to it
Could be used to process a form
GET and POST differ in their treatment of parameters
HEAD returns the header information for the indicated URL
Useful for finding out info about a URL without actually retrieving it

48. More Request Methods
PUT replaces the content of the URL with some data or generates a new document with that URL if none exists
DELETE deletes the indicated document
Usually these methods are not allowed

49. Which ones might you want to spoof?
HTTP Headers
Examples of HTTP headers:
Accept-Encoding
Cookie
If-Modified-Since
User-Agent
Content Length
Referer
Headers may be spoofed!
Which ones might you want to spoof?

50. General Format of HTTP Response
The first line is the status of the result
After the first line, there are 0 or more headers, e.g.,
Last-Modified
Refresh
Set-Cookie
Then there is a blank line
Then, there is an optional message body

51. Response (General Form)
status
line
version sp
status code sp
phrase cr lf
header :
value cr lf
0 or more header
lines
header :
value cr lf cr lf
Optional Entity Body

52. Example HTTP Response HTTP/1.0 200 OK
HTTP Version
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …

53. Status Code and Explanation
Example HTTP Response
Status Code and Explanation
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …

54. Example HTTP Response HTTP/1.0 200 OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …
Headers

55. Example HTTP Response HTTP/1.0 200 OK
Date of Request
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …

56. Date File Was Last Modified
Example HTTP Response
Date File Was Last Modified
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …

57. Example HTTP Response HTTP/1.0 200 OK
Length of content
of page
(Why is this needed?)
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …

58. Type of resource returned
Example HTTP Response
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …
Type of resource returned
(Why is this needed?)

59. Actual Resource Returned
Example HTTP Response
HTTP/ OK
Date: Fri, 30 Jul :20:37 GMT
Last-Modified: Tue, 27 Jul :37:57 GMT
Content-Length: 21175
Content-Type: text/html
<META NAME="description" CONTENT="The William Davidson Faculty of Industrial
Engineering and Management, Technion"> …
Actual Resource Returned

60. Common Status Codes 200 OK 301 Moved Permanently
Return the page requested
301 Moved Permanently
Also returns the new URL
Usually, a web browser will automatically request the new page

61. Common Status Codes
404 File Not Found

62. Common Status Codes
502 Bad Gateway: Fails on the DNS lookup

63. Experimenting Manually with HTTP (1)
At HUJI use: telnet wwwproxy.cs.huji.ac.il 8080
GET xxxx.html HTTP/1.0
HTTP/ Bad Request
Headers
HTML Contents

64. Experimenting Manually with HTTP (1)
GET HTTP/1.0
HTTP/ Not Found
Headers
HTML Contents

65. Experimenting Manually with HTTP (2)
GET HTTP/1.0
HTTP/ Moved Permanently
Headers
HTML Contents

66. Why?
What happens, when you write the url where abc is a username, in the browser?
Technically, why does this happen?
Why is the redirection really needed?

67. Questions About HTTP?

68. Caching and Proxy Servers

69. Complicating the Picture
The way that the process of getting a Web page has been described up until now is that:
for each resource, the web browser makes a request
the request is sent directly to the web server that has the resource
Think about it: This would mean that every time a user searches using Google, an HTTP request is sent directly to the Google for their icon. Isn't this a waste?!!

70. Caching
In order to save on traffic and improve on speed, resources are cached (saved temporarily) at two points:
locally, on the client (web browsers allow for a configuration of the size of the cache)
on the way, using a proxy server

71. Proxy Servers Proxy = "Go Between" (מתווך)
Usually a browser does not directly contact the web server whose resource it needs
Instead, the browser contacts a program (called a proxy server) whose job is to contact the web server
Since the proxy server is used by many users, caching can be very helpful at this level

72. Proxy Caches GET /fruit/apple.gif GET /fruit/apple.gif
client
server
GET /fruit/apple.gif
proxy server
client
GET /fruit/apple.gif
GET /fruit/apple.gif
We can generalise the caching concept and insert a proxy server to cache objects of multiple clients. The client is configured to open all its TCP connections to the proxy. Recall that the http request is
GET /fruit/apple.gif HTTP/1.1 Host:
The request contains the full url. The proxy checks to see if it has the object. If not it opens a tcp connection to the host and acts as a client fetching the object. The object is both stored and returned to the original client.
A second request made while the object is cached is satisfied without going to the server - but a conditional get is done to confirm the object is current.
Introduces many new problems of cache management.
server
client

73. Proxy Caches reduce latency for a given user agent if they can serve the request from their cache.
As a result, they also save bandwidth and reduce the load on the origin server.
Department
Proxy Server
University
Proxy Server
Therefore, they also reduce latency for the requests that must be sent to the target server
Israel
Proxy Server
Web Server

74. DNS
HTTP Response
Execute a
Program
HTTP Request
Cache
Web Server
Proxy Server
HTTP Response

75. DNS
HTTP Response
Cache
Web Server
Proxy Server

76. Hint: Remember the Header
Risks in Caching
The benefits of caching are clear
What are the risks of caching?
How can such risks be minimized?
Hint: Remember the Header
If-Modified-Since

77. Other Uses for a Proxy Server
Restricting access of users
Tracking access of users
Virus protection
Note: A proxy is a program, so it could conceivably be written to do anything. Normally, it simply requests and caches resources

78. Basic Format of a Proxy Program
Listens to a port
Infinite loop:
Establish connection
Read Request
Process Request (e.g., check in cache…)
Send Response

79. Example Proxy
To demonstrate how a proxy could work, try the following 2 programs:
SillyProxy
EchoProxy

80. SillyProxy.java import java.net.*; import java.io.*;
public class SillyProxy {
public static void main(String[] args) {
handleRequests(Integer.parseInt(args[0])); }

81. public static void handleRequests(int port) {
try {
ServerSocket listen = new ServerSocket(port);
while (true) {
Socket client = listen.accept();
BufferedReader in = new BufferedReader(new InputStreamReader
(client.getInputStream()));
String line = in.readLine();
while (line != null && line.trim().length() > 0) {
line = in.readLine(); }
Establish Connection
Read Request

82. Send Response
String answer =
"HTTP/ OK\n" +
"Content-type: text/html\n\n" +
"<html><body>" +
"<font color=green size=+4>" +
"<i>Happy Purim</i></font></body></html>";
PrintWriter out =
new PrintWriter(client.getOutputStream(), true);
out.println(answer);
out.flush();
client.close(); }

83. EchoProxy Can be defined similarly to SillyProxy, but: Try the out:
sends as a response the HTTP request, wrapped in <HTML><BODY><PRE>
Try the out:
run the programs from the command line with some number as the port value
set your browser to run with the program as its proxy
try to open up a page
What will we see?

84. Questions About Proxies?

85. Cookies

86. Cookies
Cookies are a general mechanism that server-side applications can use to both store and retrieve long-term information on the client side
Servers send cookies in the HTTP response and browsers are expected to save and to send the same cookies back to the Server, whenever they make additional requests from the Server
The content of the cookies is stored as a text document in the file system

87. Cookie Transportation
Amazon Web server
request page
Set-cookie: pref=eng; id=
pref=eng; id=
amazon.com
Set-cookie: id=
request page
tz=
technion.ac.il
IE Technion Web Server

88. Cookie Transportation
Amazon Web server
request page
pref=eng; id=
response
pref=eng; id=
amazon.com
tz=
technion.ac.il
IE Technion Web Server
An Example

89. Cookie Format A cookie in a response header:
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; secure
Only the NAME field is required
A cookie in a request header:
Cookie: NAME1=VALUE1; NAME2=VALUE2; NAME3=VALUE3...
This header contains all matching stored cookies

90. Cookie Properties NAME=VALUE: the content of the cookie
should not contain semi-colons, commas or white-spaces
expires=DATE: expiration date
default is the session life time (until browser is closed)
path=PATH: the paths for which the cookie is valid
matches every path that begins with PATH
secure: send only through secure channels (i.e., https)

91. Notes about Cookies A response may contain multiple cookies
A Cookie overrides previous cookies with the same path and name (in the same domain)
If no path is given, then it is assumed to be that of the requested URL

92. Notes about Cookies
The Cookie header of a request contains all mappings that match the requested URL
A server can delete a cookie by sending a new one with the same path and name, but with expiry date in the past

93. Using Cookies for Session Management

94. HTTP is Stateless HTTP is a stateless protocol
Individual requests are treated independently
Without external support, one cannot tell whether an HTTP request is part of a continuing interaction between the client and the server
BUT some Web applications have states!
Online stores that maintain a shopping cart
Portals that remember your name and preferences

95. HTTP Sessions
The solution: Client and Server transfer some unique data in the course of a session
A session captures the notion of a continuous interaction between a server and a client
End users should be oblivious to session management
Session management should be efficient
Is it reasonable to send the whole shopping cart on every request to Amazon.com?

96. Session Supporting Servers
A server that supports sessions holds session-specific data in an internal data structure or database
For example, the content of the shopping cart
On the first request, the server initializes the session data and sends to the client a unique identifier for this data
During the session, the client attaches this identifier to every request to the server

97. Session Management Methods
How is the session key shared between the client and the server?
We will discuss sharing a key, using cookies.
Another way to send the key (without using cookies) is by URL rewriting. Not discussed today.

98. Session Cookies
In the response to the first request of a session, the server puts a cookie, which contains a session identifier
When the client sends subsequent requests, it also sends the cookie
The client sends the cookie as long as the requests are within its session bound (e.g., the same browser process)
The server treats the cookie as a valid identifier as long as the requests are within its session bound (e.g., a short time period passed since the last request)

99. Session Cookies Session cookies are simply a special kind of cookies
The time boundary of session cookies is based on the session and not on an explicit date
This is the default expiration time
Actual session data is kept on the server (while the session cookie holds only an identifier of the session)

100. Example Amazon Web server request page buybook.html
Set-cookie: cartid=3 ...
id=1, details=b56
id=2, details=b12, b90
id=3

101. sessionId
list

102. Session Duration A session ends in either one of the following cases:
The server invalidates the session
Required explicitly, e.g., a user logs out, or
The session was inactive for a long time
The client stops cooperating
Session cookies have expired, e.g., the browser runs in a new process

103. Questions
How come when you use Moodle, you sometimes have to repeatedly enter your password, and sometimes it remembers you?
How come Amazon always remembers you?

104. Are cookies safe? Can they contain a virus?
Can they fill up your disk?
Can they contain secret information?
Problems:
Cookie theft, cookie poisoning, third-party cookies

105. Cookie Theft Attacker listens on the line with a packet sniffer.
Solution?
Server
Browser
Attacker

106. Cookie Poisoning
Attacker sends the wrong value back to the server (instead of the actual cookie value)
Solution?
Server
Attacker

107. Third Party Cookies
Can site A know that you have visited both site B and site C? (Would you mind if it did?)
Often happens if advertising banners are stored at a third-party site
Diagram on the blackboard

108. Questions About Cookies?

109. Security Management in Web Applications

110. We all know this page...

111. Would we want all to what’s behind this for us?
Any ideas on how access can be restricted?

112. Problem Want to restrict access to certain Web pages
Must answer the following questions
Which pages should be restricted?
Who should access restricted pages?
How should users be authenticated?
Should data be encrypted?
We consider authentication methods that ensure that the right people can access the pages

113. Authentication Methods: Strategies
Programmatic Security:
Site designer programs the logic needed for restricting access.
very flexible
requires a lot of coding
Declarative Security:
“Declare” who may access what
Use built-in HTTP mechanisms to control access (Basic or Digest access authentication scheme)
not flexible
requires little coding
We will focus on Basic and Digest authentication

114. What must be declared?
Realms: A realm is a set of documents, along with a realm name.
Sets of documents that should have the same access rights are declared within a single realm
User/Passwords: For each realm, the sets of users and passwords that may access the realm are defined
Manner to define the above is web-server specific

115. Underlying Idea
When user requests a resource within a realm (i.e., a restricted resource), he must also send along his user name and password
If user name and password are not sent, the web server requests these before returning the resource
Exact protocol differs whether Basic or Digest authentication is used

116. Basic authentication protocol
server
client
(a)Query
GET /cgi-bin/checkout?cart=17854 HTTP/1.1
client
server
(b)Challenge
HTTP/ Unauthorized
WWW-Authenticate: Basic realm=“Shopping Cart”
Shopping Cart
Username:
Password:
server
client
(c)Response
GET /cgi-bin/checkout?cart=17854 HTTP/1.1
Authorization: Basic YnJpYW4tdG90dHk6T3ch
client
server
(d)Success
HTTP/ OK …

117. Authorization: Basic username:password
HTTP Basic Mechanism
When the server gets a request to a protected resource, it checks whether that request has the HTTP header
Authorization: Basic username:password
If the name and password are accepted by the server (i.e., are those of a user that has the privilege to get the page), then the requested page is returned

118. WWW-Authenticate: Basic realm="realm-name"
HTTP Basic Mechanism
If the request does not have the authorization header or the name and password are not accepted, then the server replies with a status code of 401 unauthorized
The 401 response will have the header
WWW-Authenticate: Basic realm="realm-name"
That is, "in order to get this resource, you will have to authenticate using the basic method"
Tells the user to supply authentication for pages in realm-name
Browser will automatically open a dialog for the user to enter his username and password

119. Browser Cooperation
Throughout the session, the browser stores the username and password and automatically sends the authorization header in either one of the following cases:
The requested resource is under the directory of the originally authenticated resource
The browser received 401 from the Web server and the WWW-Authenticate header has the same realm as the previous protected resource

120. Sending the User Name and Password
Under Basic authentication, the user name and password are sent as a pair
username:password
written in the Authentication header
The username, password pair are written in Base64. This is not encryption

121. Declarative Security: BASIC
Realm A
/a/A.html
/a/B.jsp
OK + Content
GET E.xsl
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml

122. Declarative Security: BASIC
Realm A
/a/A.html
/a/B.jsp
401 + Basic realm="A"
GET /a/B.jsp
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml

123. Declarative Security: BASIC
Realm A
/a/A.html
/a/B.jsp
OK + Content
GET /a/B.jsp + user:pass
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml

124. Declarative Security: BASIC
Realm A
/a/A.html
/a/B.jsp
OK + Content
GET /a/A.html + user:pass
Realm B
/b/C.css
E.xsl
/b/D.xml
F.xml

125. Problems with Basic authentication
What problems are there with this type of authentication?
What type of attack can succeed with this scheme?

126. Digest Access Scheme
The most serious security flaw in the basic scheme is that the name and password are sent unencrypted, and hence everyone on the network path can read it
If an attacker snoops a request with basic authentication, she can access to the whole protection space of the resource
The digest access authentication scheme solves many of the flaws of the basic schemes, such as the one above

127. Digest Operation
Like the basic, the digest scheme requires that authentication data is sent with each request for a protected resource
However, passwords are not sent in clear text
The idea is to use a one-way hash, such as MD5
A one-way hash H is a mapping of strings that has the following properties:
It is "easy" to compute H(x), given the input x
It is "hard" to compute x, given the mapping H(x)

128. Digest Operation (cont)
In the digest scheme, instead of sending the password x in clear text, the client sends H(y)
y is the concatenation of the user name, the password, and some additional values (discussed later on)
A server that gets digested authentication data repeats the same encryption process and compares its output with the given H(y)
How come server can compute H(y)?

129. Using Digests for password-obscured authentication
server
client
Internet
(a)Request
Please give me the
internal sales forecast.
server
client
(b)Challenge
You requested a secret
financial document.Please
tell me your username
and password digests.
Internet
Ask user for username and password
digest(“0w!”)=A3F5
server
client
Internet
(c)Authorization
Please give me the
internal sales forecast.
My username is “bri”
My digested password is
“A3F5”
digest(“0w!”)=A3F5 ˇ
This is a match!
OK.The digest you sent me
matches the digest of my
internal password, so here
is the document.
server
Internet
client
(d)Success

130. Message Digest #5 (MD5)
One popular digest function, MD5, converts any arbitrary sequence of bytes, of any length, into a 128-bit digest.
128 bits = 2128, or about
1,000,000,000,000,000,000,000,000,000,000,000,000,000 = 1039 possible distinct condensations.
Given the result of an MD5 function, do you think you can guess the argument?

131. MD5 digest examples Input MD5 digest “Hi” “bri:0w!” “3.1415926535897”
C1A5298F939E87E8F962A5EDFC206918
“bri:0w!”
BEAAA0E34EBDB072F8627C038AB211F8
“ ”
475B977E19ECEE70835BC6DF46F4F6DE “
C617C0C7D1D05F66F595E22A4B0EAAA5
“We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are life, Liberty and the Pursuit of Happiness-That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness.”
66C4EF58DA7CB956BD04233FBB64E0A4

132. Problems, so far
What problems do you see with this authentication method so far?
Does it really improve the BASIC method?

133. Digest: More Details
In order to avoid a “replay” attack, each time that the client requests a resource
the Server generates a new “nonce” value
Server sends the nonce value as a challenge to the Client
Client computes MD5(user:password:nonce) and sends to Server (actually, there are some more arguments too)
Server verifies correctness
Why does this prevent replay attack?
Note: Server must keep track of nonces used in the past

134. Problems, so far Can someone now impersonate the client?
Can someone discover the client’s password?
Can someone impersonate the server?

135. Digest: Even More Details
In order to make sure that the server is not compromised
the Client sends with his request a “client nonce value”
The Server returns the resource, along with MD5(user:password:cnonce:resource-content)
Client verifies correctness

136. The Digest Authentication Handshake
Client
WWW-Authenticate (challenge)
(2)Server sends realm, nonce, algorithms
Server
(1)Server generates nonce
(3)Choose algorithm from set
[generate response digest]
[generate client-nonce]
Authorization (response)
(4)Client sends response digest
[send algorithm]
[send client-nonce]
(5)Server verifies digest
[generate rspauth digest]
[generate next nonce]
Authentication-Info (info)
(6)Server sends next nonce
[send client rspauth digest]
(7)Client verifies rspauth digest

137. Problems, so far Can someone impersonate client?
Can someone impersonate server?
Can someone see the client’s private data?

138. Reference http://www.ietf.org/rfc/rfc2617.txt
RFC 2617,”HTTP Authentication: Basic and Digest Access Authentication”

139. SSL Connections
The SSL (Secure Socket Layer) protocol is used to manage security of message transmission on the Internet
Data encryption and decryption is based on symmetric and asymmetric keys
The HTTPS (HTTP over SSL) protocol is actually the HTTP protocol above SSL transportation

140. Summary What have we seen? DNS, TCP/IP URLs Dynamic Pages
Caching and Proxies
Cookies
Security Management

141. Homework Assignment
Describe the main differences between the protocols: HTTP 1.0 and HTTP 1.1