Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication.

Published byKory Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication."— Presentation transcript:

1 1 Basic Authentication Herng-Yow Chen

2 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication. The next lecture explains a more powerful techniques called digest authentication.

3 3 Authentication Authentication means showing some proof of your identification, actually some proof that you claim to be. HTTP provides a native challenges / response framework to make it easy to authenticate users.

4 4 Simplified challenge/response Authentication server client Internet Request Please give me the internal sales forecast. server client Internet Challenge You requested a secret Financial document.Please tell me your username and password server client Internet Authorization Please give me the internal sales forecast. Here is my username and Password: ” ****** ” server client Internet Success OK.You have access right. Here is the document. (Ask user for password)

5 5 Authentication Protocols and Headers PhaseHeaderMethod/Status RequestGET ChallengeWWW-Authenticate401 Unauthorized Authorization GET SuccessAuthorization-Info *200 OK Four phases of authentication If the secret credentials don ’ t match, the server can challenge the client again or generate an error.

6 6 Basic authentication example server client GET /family/jeff.jpg HTTP/1.0 HTTP/1.0 401 Authorization required WWW-Authenticate: Basic realm= “ Family ” GET /family/jeff.jpg HTTP/1.0 Authenticate: Basic Ydre3lkL56H7gdffvh HTTP/1.0 200 OK Content-type: img/jpeg … (a) (b) (c) (d)

7 7 Security realms in a web server server / Jeff.jpgbrian.jpg family Index.htmlcorporate financials press pr1.html pr2.html Sales-forecast.xls Family realm Corporate financials realm

8 8 Basic authentication headers Challenge/Response Header Challenge (server to client) WWW-Authenticate: Basic realm=Quoted-realm Response (client to server) Authorization: Basic base64-username-and-password

9 9 Base-64 Username/Password Encoding username passwd! (a) Prompt for username and password (b) Pack username and password with colon (c) Base 64 encode (d) Send authorization Brian-tooty Ow! Brian-tooty:Ow! BASE64ENC(brian-totty:Ow!) YnJpYW4tdG90Hk6T3ch server client GET /family/jeff.jpg HTTP/1.0 Authorization: Basic YnJpYW4tdG90Hk6T3ch

10 10 Base-64 Encoding Takes a sequence of 8-bit bytes and segments the bit streams into 6-bit chunks. Base-64 alphabet 64 alphabets: A-Z, a-z, 0-9, +, / The 65 th alphabet = for padding http://www.freesoft.org/CIE/RFC/2065/56.htm http://www.freesoft.org/CIE/RFC/2065/56.htm http://tw2.php.net/base64_encode

11 11 Proxy authentication Authentication also can be done by intermediary proxy servers. Some organizations use proxy server to authenticate users before letting them access servers, LANs, and wireless network. Proxy servers can be a convenient way to provide unified access control across an organization ’ s resources, because access policies can be centrally administered on the proxy server. The first step in this process is to establish the identify via proxy authentication.

12 12 Web server versus proxy authentication Web serverProxy server Unauthorized status code:401 Unauthorized status code:407 WWW-AuthenticateProxy-Authenticate AuthenticateProxy-Authenticate Authenticate-InfoProxy-Authenticate-Info

13 13 The security flaws of basic authentication Base-64 encoding just obscures the username and password but encrypts them in a secure form.

14 14 For More Information http://www.ietf.org/rfc/rfc2617.txt “ HTTP Authentication: Basic and Digest Access Authentication ” http://www.ietf.org/rfc/rfc2616.txt “ Hypertext Transfer Protocol -- HTTP/1.1 ”

Download ppt "1 Basic Authentication Herng-Yow Chen. 2 Outline Explains HTTP authentication Delve into the most common form of HTTP authentication, basic authentication."

Similar presentations

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 Digest Authentication Herng-Yow Chen. 2 Outline Theory and practice of digest authentication. The improvement of Digest Authentication.

1 Digest Authentication Herng-Yow Chen. 2 Outline Theory and practice of digest authentication. The improvement of Digest Authentication.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
World Wide Web Basics Original version by Carolyn Watters (Dalhousie U. Computer Science)

World Wide Web Basics Original version by Carolyn Watters (Dalhousie U. Computer Science)
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Web basics HTTP –http://www.ietf.org/rfc/rfc2616.txt –http://www2002.org/CDROM/refereed/444/ URI/L/Ns –http://www.ietf.org/rfc/rfc2396.txt HTML –http://www.w3.org/TR/html401/

Web basics HTTP – – URI/L/Ns – HTML –
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Microsoft Challenge Handshake Authentication Protocol CS265 Spring 2005 ChungShun Wei.

Microsoft Challenge Handshake Authentication Protocol CS265 Spring 2005 ChungShun Wei.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Securing Squid (Proxy) Using Digest Authentication.

Securing Squid (Proxy) Using Digest Authentication.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google