Download presentation
Presentation is loading. Please wait.
Published byHillary Boyd Modified over 9 years ago
1
HTTP Authentication: Basic and Digest Access Authentication
rfc 2617
2
Contents Access Authentication Framework Basic Access Authentication
Digest Access Authentication Specification of Digest Headers WWW-Authentication header Authorization Request header Authentication-Info header Digest Operation Example
3
Access Authentication Framework
Simple challenge-response authentication mechanism Token – user identifying information Realm directive – protection space Credential Checksum & Hash
4
Basic Access Authentication
Authentication with user ID/password Cleartext based mechanism No encryption method
5
Digest Access Authentication
목적 BAA의 취약점을 보완(flaws of cleartext) No message encryption Overall Operation Simple challenge-response paradigm Challenge use nonce value Response contains a checksum Default, MD5 Username, password, given nonce value, HTTP method, requested URI
6
Specification of Digest Headers
WWW-Authentication header 서버가 access-protected object에 대한 request를 수신했을 때, acceptable Authorization header가 없을 경우, 전송 Authorization Request header 서버로부터 WWW-Authentication header를 수신한 후 다시 access를 요청하기 위해 전송 Authentication-Info header 성공적인 인증을 위해 서버에 의해 전송되는 정보
7
WWW-Authentication header 1/3
challenge = "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ opaque ] |[ stale ] | [ algorithm ] | [ qop-options ] | [auth-param] ) domain = "domain" "=" <"> URI ( 1*SP URI ) <"> URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token ) qop-options = "qop" "=" <"> 1#qop-value <"> qop-value = "auth" | "auth-int" | token
8
WWW-Authentication header 2/3
Realm 인증될 사용자의 name, password Nonce Server-specified data string Uniquely generated at 401 response is made Base64 or hexadecimal data recommended Implementation dependent Opaque to client Opaque 서버에서 생성된 값 클라이언트의 Authorization header에 그대로 포함되어 돌아옴 Stale Previous request의 nonce값이 잘못되어 있음을 나타냄 TRUE – nonce값이 잘못되었을 경우 (username/password는 정상이라 판단) FALSE, TRUE와 다른 값, stale directive가 없는 경우 – username/password가 비정상
9
WWW-Authentication header 3/3
Algorithm Digest와 checksum에 쓰인 알고리즘 Default, MD5 KD(secret, data) Data를 secret을 이용해 digest한 문장 H(data) Data에 checksum 알고리즘을 적용해 얻은 문장 Example (MD5) H(data) = MD5(data) KD(secret, data) = H(concat(secret, “:”, data)) Qop-options Option 필드(back compatibility) Quoted string Quality of protection Example “Auth” – authentication “Auth-int” – authentication with integrity protection Auth-param For extension
10
Authorization Request header 1/2
credentials = "Digest" digest-response digest-response = 1#( username | realm | nonce | digest-uri | response | [ algorithm ] | [cnonce] | [opaque] | [message-qop] | [nonce-count] | [auth-param] ) username = "username" "=" username-value username-value = quoted-string digest-uri = "uri" "=" digest-uri-value digest-uri-value = request-uri ; As specified by HTTP/1.1 message-qop = "qop" "=" qop-value cnonce = "cnonce" "=" cnonce-value cnonce-value = nonce-value nonce-count = "nc" "=" nc-value nc-value = 8LHEX response = "response" "=" request-digest request-digest = <"> 32LHEX <"> LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"
11
Authorization Request header 2/2
Opaque/algorithm WWW-Authentication header의 값 Response 32 hex digits의 계산된 결과 사용자가 password를 알고 있음을 증명 Username Realm에서의 username Qop Quality of protection Optional field (backward compatibility) Request-digest에 영향 WWW-Authentication header에 명시되었을 경우, 반드시 포함 Cnonce WWW-Authentication에 qop가 있는지에 따라 포함여부 결정 Plaintext attack을 방지하기 위한 목적 Nonce-count 동일 nonce를 이용한 request의 가능한 회수를 지정 Replay attack을 방지하기 위한 목적 Auth-param For extension Request-digest rfc 참조
12
Authentication-Info header
AuthenticationInfo = "Authentication-Info" ":" auth-info auth-info = 1#(nextnonce | [ message-qop ] | [ response-auth ] | [ cnonce ] | [nonce-count] ) nextnonce = "nextnonce" "=" nonce-value response-auth = "rspauth" "=" response-digest response-digest = <"> *LHEX <"> Nextnonce 다음 challenge 시 이용하거나 또는 nonce를 변경하기 위한 필드 명시된 경우, 다음 request 시 Authorization header를 생성할 때 이용 Message-qop Quality of protection 명시된 경우, 반드시 필요함
13
Digest Operation Authorization Request Header로부터 Username에 해당하는 password를 이용해 클라이언트와 동일한 알고리즘을 적용하여 얻은 결과를 Request-digest 값과 비교 H(A1)을 알고 있으면 cleartext password를 몰라도 가능 H(A1) = H(unq(username-value) “:” unq(realm-value) “:” password) Example Username=“Mufasa” Password=“Circle Of Life” Of Life) Session WWW-Authentication challenge를 수신하는 시간 간격 동안 유지
14
Example Environmental parameters Operation
URI- Username – “Mafasa” Password – “Circle Of Life” Operation 1. Client request 2. No Authorization header is sent, server responds with 3. Client responds with a new request, including Authorization header 2. WWW-Authentication Header HTTP/ Unauthorized WWW-Authenticate: Digest qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41" 3. Authorization Request Header Authorization: Digest username="Mufasa", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc= , cnonce="0a4f113b", response="6629fae49393a c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.