Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Server Design Week 12 Old Dominion University

Published byLeonard Beltz Modified over 5 years ago

Similar presentations

Presentation on theme: "Web Server Design Week 12 Old Dominion University"— Presentation transcript:

1 Web Server Design Week 12 Old Dominion University
Department of Computer Science CS 495/595 Spring 2007 Michael L. Nelson 3/26/07

2 Digest Authentication
Still based on the challenge / response mechanisms first employed in “Basic” authentication Same: status code 401 WWW-Authenticate response header Authorization request header New: Authentication-Info response header We will ignore the sections that deal with backward compatibility with RFC 2069

3 Response WWW-Authenticate: Digest (1) realm=”mln@www.cs.odu.edu",
(2) domain=“ (3) qop="auth,auth-int", (4) nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", (5) algorithm=“MD5”, (6) stale=“false”, (7) opaque="5ccc069c403ebaf9f0171e9517f40e41" similar to Basic’s notion of realm list of URIs for which this challenge applies (all URIs at the server if not listed) quality of protection: authentication, authentication with integrity opaque data stream issued by the server per 401 challenge (not per access!) the algorithm used to encode the secrets if “true”, then password is good, but previous nonce is old (retry w/ new nonce, don’t prompt user) opaque data stream issued by the server for a particular domain

4 Request Authorization: Digest username=“mln”,
(1) (2) uri=“ (3) qop=auth, (4) nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", (5) nc= , (6) opaque=”8ab38009c403ebaf9f0171e9517f40e41b”, (7) cnonce=“dcd98b7102dd2f0e8b11d0f600bfb0c093”, (8) response=“6629fae49393a c4ef1” specifies the realm specifies the URI in a particular domain quality of protection: authentication, authentication with integrity the nonce provided by the server in the 401 response (hex value) nonce count -- how many times this nonce has been used opaque data stream issued by the server for a particular domain client-generated nonce the request digest

5 Constructing the Request Digest
request digest = md5(md5(A1):nonce:ncount:cnonce:qop:md5(A2)) if algorithm == MD5, A1 = username:realm:password elsif algorithm == MD5-sess A1 = md5(username:realm:password):nonce:cnonce if qop == auth A2 = method:URI elsif qop == auth-int A2 = method:URI:md5(entity-body) sections in RFC 2617

6 Generating Nonce / Opaque Values
“nonce” suggestion from 3.2.1: base64(time-stamp md5(timestamp:ETag:private-key)) note whitespace! “opaque” discussed in 3.3, but no suggestions are given. this field can be used to encode server state information; esp. useful if after authentication, a 301/302 is generated. We’ll use: md5(URI:private-key)

7 Authentication-Info Response Header
(1) nextnonce=“1a28b7102dd2f0e8b11d0f600bfbdd441” (2) qop=auth, (3) rspauth="d3b07384d113edec49eaa6238ad5ff00", (4) nc= , (5) cnonce=“dcd98b7102dd2f0e8b11d0f600bfb0c093”, optional, allows 1 time nonce values (at expense of efficiency; cosider nonce count instead) quality of protection: authentication, authentication with integrity optional, supports mutual authentication (server knows client’s password) nonce count -- how many times this nonce has been used client-generated nonce

8 Constructing the Response Authorization
same as constructing the request digest that goes into the “Authorization” request header, except: if qop == auth A2 = :URI elsif qop == auth-int A2 = :URI:md5(entity-body) (same as before, but the method is not applicable. note leading colon!) section in RFC 2617

9 Request for A Digest Protected URI
% telnet 80 Trying Connected to xenon.cs.odu.edu. Escape character is '^]'. GET HTTP/1.1 User-Agent: CS 595-S06 A3 automated Checker Host: Connection: close HTTP/ Authorization Required Date: Mon, 02 Apr :53:51 GMT Server: Apache/2.2.0 WWW-Authenticate: Digest realm="Colonial Place", nonce="AAQtIY0devU=3479a198ba7118a980fb5f5376c74e4804bd82e2", algorithm=MD5, qop="auth" Content-Length: 471 Content-Type: text/html; charset=iso <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> [deletia]

10 Re-Request With Authorization Header
% telnet 80 Trying Connected to xenon.cs.odu.edu. Escape character is '^]'. GET HTTP/1.1 Authorization: Digest username="mln", realm="Colonial Place", uri=" qop=auth, nonce="AAQtIY0devU=3479a198ba7118a980fb5f5376c74e4804bd82e2", nc= , cnonce="014a54548c61ba03827ef6a4dc2f7b4c", response="3e8c34e2cdfc291648ca8f48215c476a" Host: Connection: close HTTP/ OK Date: Mon, 02 Apr :53:51 GMT Server: Apache/2.2.0 Authentication-Info: rspauth="2c232e05f98e bc3ca6de00", cnonce="014a54548c61ba03827ef6a4dc2f7b4c", nc= , qop=auth Last-Modified: Sun, 07 Jan :04:10 GMT ETag: " a86e80" Accept-Ranges: bytes Content-Length: 18 Content-Type: text/plain Can you see this?

11 Client-Side Code Snippets
# parse nonce and opaque (if it exists) values from the server response $cnonce = md5_hex("go hokies"); $ncount = " "; $a1 = md5_hex("mln:Colonial Place:mln"); $a2 = md5_hex("GET:$baseURL" . "limited2/foo/bar.txt"); $response = md5_hex("$a1:$nonce:$ncount:$cnonce:auth:$a2"); # GET 200 $test[7]="\ GET $baseURL" . "limited2/foo/bar.txt HTTP/1.1 Authorization: Digest username=\"mln\", realm=\"Colonial Place\", uri=\"$baseURL"."limited2/foo/bar.txt\", qop=auth, nonce=\"$nonce\", nc=$ncount, cnonce=\"$cnonce\", response=\"$response\" Host: $host Connection: close "; note that values for nc & qop are not quoted

12 How… tango.cs.odu.edu:/home/mln % more public_html/teaching/cs595-s07/a4-test/limited2/.htaccess AuthType Digest AuthName "Colonial Place" AuthDigestProvider file AuthUserFile /home/mln/passwd-digest Require valid-user tango.cs.odu.edu:/home/mln % more ~/passwd-digest bda:Colonial Place:b8e13248f7bb c850d5c7da46 jbollen:Colonial Place:c5d7f97a6ac34b393ba2d252c7331d5a mln:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08 vaona:Colonial Place:fbcc0f347e4ade65a337a4febc421c81 tango.cs.odu.edu:/home/mln % Apache % more ~/public_html/teaching/cs595-s07/a4-test/limited2/WeMustProtectThisHouse\! # # A4 password file authorization-type=Digest realm="Colonial Place" bda:Colonial Place:b8e13248f7bb c850d5c7da46 jbollen:Colonial Place:c5d7f97a6ac34b393ba2d252c7331d5a mln:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08 vaona:Colonial Place:fbcc0f347e4ade65a337a4febc421c81 Our Server

Download ppt "Web Server Design Week 12 Old Dominion University"

Similar presentations

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/10/10.

Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/10/10.
Web Server Design Week 8 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/3/10.

Web Server Design Week 8 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/3/10.
SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, 2014 1Rifaat Shekh-Yusef - SIP Digest Auth.

SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, Rifaat Shekh-Yusef - SIP Digest Auth.
Web Server Design Week 4 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/03/10.

Web Server Design Week 4 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/03/10.
Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.

Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.
Web Server Design Assignment #2: Conditionals & Persistence Due: 02/24/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010.

Web Server Design Assignment #2: Conditionals & Persistence Due: 02/24/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010.
Web Server Design Week 2 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 1/20/10.

Web Server Design Week 2 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 1/20/10.
Web Server Design Week 7 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/24/10.

Web Server Design Week 7 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/24/10.
Web Server Design Week 13 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 4/7/10.

Web Server Design Week 13 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 4/7/10.
Web Server Design Assignment #4: Authentication Due: 04/14/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein.

Web Server Design Assignment #4: Authentication Due: 04/14/2010 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein.
Web Server Design Week 6 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/17/10.

Web Server Design Week 6 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 2/17/10.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.

Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.

Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.
Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2012 Michael L. Nelson 02/07/12.

Web Server Design Week 5 Old Dominion University Department of Computer Science CS 495/595 Spring 2012 Michael L. Nelson 02/07/12.
Web Programming Week 1 Old Dominion University Department of Computer Science CS 418/518 Fall 2007 Michael L. Nelson 8/27/07.

Web Programming Week 1 Old Dominion University Department of Computer Science CS 418/518 Fall 2007 Michael L. Nelson 8/27/07.
Web Server Design Week 13 Old Dominion University Department of Computer Science CS 495/595 Spring 2012 Michael L. Nelson 04/03/12.

Web Server Design Week 13 Old Dominion University Department of Computer Science CS 495/595 Spring 2012 Michael L. Nelson 04/03/12.
Web Server Design Week 15 Old Dominion University Department of Computer Science CS 495/595 Spring 2009 Michael L. Nelson 4/20/09.

Web Server Design Week 15 Old Dominion University Department of Computer Science CS 495/595 Spring 2009 Michael L. Nelson 4/20/09.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.

CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Web Server Design Week 3 Old Dominion University Department of Computer Science CS 495/595 Spring 2006 Michael L. Nelson 1/23/06.

Web Server Design Week 3 Old Dominion University Department of Computer Science CS 495/595 Spring 2006 Michael L. Nelson 1/23/06.

Similar presentations

Ads by Google