1. HTTP Authentication: Basic and Digest Access Authentication
rfc 2617

2. Contents Access Authentication Framework Basic Access Authentication
Digest Access Authentication
Specification of Digest Headers
WWW-Authentication header
Authorization Request header
Authentication-Info header
Digest Operation
Example

3. Access Authentication Framework
Simple challenge-response authentication mechanism
Token – user identifying information
Realm directive – protection space
Credential
Checksum & Hash

4. Basic Access Authentication
Authentication with user ID/password
Cleartext based mechanism
No encryption method

5. Digest Access Authentication목적
BAA의 취약점을 보완(flaws of cleartext)
No message encryption
Overall Operation
Simple challenge-response paradigm
Challenge use nonce value
Response contains a checksum
Default, MD5
Username, password, given nonce value, HTTP method, requested URI

6. Specification of Digest Headers
WWW-Authentication header
서버가 access-protected object에 대한 request를 수신했을 때, acceptable Authorization header가 없을 경우, 전송
Authorization Request header
서버로부터 WWW-Authentication header를 수신한 후 다시 access를 요청하기 위해 전송
Authentication-Info header
성공적인 인증을 위해 서버에 의해 전송되는 정보

7. WWW-Authentication header 1/3
challenge = "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )
domain = "domain" "=" <"> URI ( 1*SP URI ) <">
URI = absoluteURI | abs_path
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
token )
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token

8. WWW-Authentication header 2/3
Realm
인증될 사용자의 name, password
Nonce
Server-specified data string
Uniquely generated at 401 response is made
Base64 or hexadecimal data recommended
Implementation dependent
Opaque to client
Opaque
서버에서 생성된 값
클라이언트의 Authorization header에 그대로 포함되어 돌아옴
Stale
Previous request의 nonce값이 잘못되어 있음을 나타냄
TRUE – nonce값이 잘못되었을 경우 (username/password는 정상이라 판단)
FALSE, TRUE와 다른 값, stale directive가 없는 경우 – username/password가 비정상

9. WWW-Authentication header 3/3
Algorithm
Digest와 checksum에 쓰인 알고리즘
Default, MD5
KD(secret, data)
Data를 secret을 이용해 digest한 문장
H(data)
Data에 checksum 알고리즘을 적용해 얻은 문장
Example (MD5)
H(data) = MD5(data)
KD(secret, data) = H(concat(secret, “:”, data))
Qop-options
Option 필드(back compatibility)
Quoted string
Quality of protection
Example
“Auth” – authentication
“Auth-int” – authentication with integrity protection
Auth-param
For extension

10. Authorization Request header 1/2
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"

11. Authorization Request header 2/2
Opaque/algorithm
WWW-Authentication header의 값
Response
32 hex digits의 계산된 결과
사용자가 password를 알고 있음을 증명
Username
Realm에서의 username
Qop
Quality of protection
Optional field (backward compatibility)
Request-digest에 영향
WWW-Authentication header에 명시되었을 경우, 반드시 포함
Cnonce
WWW-Authentication에 qop가 있는지에 따라 포함여부 결정
Plaintext attack을 방지하기 위한 목적
Nonce-count
동일 nonce를 이용한 request의 가능한 회수를 지정
Replay attack을 방지하기 위한 목적
Auth-param
For extension
Request-digest
rfc 참조

12. Authentication-Info header
AuthenticationInfo = "Authentication-Info" ":" auth-info
auth-info = 1#(nextnonce | [ message-qop ]
| [ response-auth ] | [ cnonce ]
| [nonce-count] )
nextnonce = "nextnonce" "=" nonce-value
response-auth = "rspauth" "=" response-digest
response-digest = <"> *LHEX <">
Nextnonce
다음 challenge 시 이용하거나 또는 nonce를 변경하기 위한 필드
명시된 경우, 다음 request 시 Authorization header를 생성할 때 이용
Message-qop
Quality of protection
명시된 경우, 반드시 필요함

13. Digest Operation
Authorization Request Header로부터 Username에 해당하는 password를 이용해 클라이언트와 동일한 알고리즘을 적용하여 얻은 결과를 Request-digest 값과 비교
H(A1)을 알고 있으면 cleartext password를 몰라도 가능
H(A1) = H(unq(username-value) “:” unq(realm-value) “:” password)
Example
Username=“Mufasa”
Password=“Circle Of Life”
Of Life)
Session
WWW-Authentication challenge를 수신하는 시간 간격 동안 유지

14. Example Environmental parameters Operation
URI-
Username – “Mafasa”
Password – “Circle Of Life”
Operation
1. Client request
2. No Authorization header is sent, server responds with
3. Client responds with a new request, including Authorization header
2. WWW-Authentication Header
HTTP/ Unauthorized
WWW-Authenticate: Digest
qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"
3. Authorization Request Header
Authorization: Digest username="Mufasa",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc= ,
cnonce="0a4f113b",
response="6629fae49393a c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"