HTTP Basic Authentication

 

As we all know, Web allows people to easily access information distributed in every corner of the world. However, convenience is not enough. Not all information is suitable for public access on the Internet. We need to ensure that only specific people can see our sensitive information and perform specific operations.

The server needs to know the identity of the access user in some way. Once the server knows the user identity, it can determine the transactions and resources that the user can access. Authentication means to prove who the client is accessing. Generally, the user name and password are provided for authentication. HTTP provides us with some native tools. Today, let's take a look at basic certification.

HTTP question/Response Authentication Framework

HTTP provides a native query/response framework, which simplifies the authentication process for users. HTTP authentication model.

When the Web server receives an HTTP request message, the server does not directly respond to the requested resource. Instead, it responds with an "authentication question" and asks the user to provide some confidential information to describe its identity. When you initiate another request, you must attach a secret certificate (user name and password ). If the request does not match, the server can ask the client again or generate an error message. If the certificate matches, the requested resource is returned.

 

 

Authentication Protocol and header

1. HTTP provides customizable Control headers and a scalable framework for different authentication protocols.
2. HTTP provides two authentication protocols: Basic Authentication and digest authentication.

 

 

Basic Authentication instance

1. The client requests a resource.
2. The server returns a 401unauthorized response when querying the user, and describes the authentication method that can be used in the WWW-Authenticate header.
3. The client resends the request and attaches the user name, password, and other authentication parameters to the Authorization header.
4. After the authorization is completed, the server returns a normal status code (for example, 200 OK). For advanced algorithms, additional information may be appended to the authentication-Info header.

 

HTTP Basic Authentication packs the username and password together and uses the base-64 encoding method to encode them. The specific process is shown in.

 

Security defects of Basic Authentication

1. The user name and password are sent through the network for basic authentication. Although base-64 encoding can hide the user name and password, it is easy to decode it through reverse encoding.
2. Even if the password is encrypted in a way that is more difficult to decode, a third-party user can still capture the modified user name and password and obtain the server access permissions through replay attacks.
3. Many users use the same user name and password for different services. Basic Authentication directly sends the user name and password, which threatens some important services (such as online banking websites.
4. Basic Authentication does not provide any protection measures for proxy and man-in-the-middle nodes. They do not modify the Authentication Header, but modify the rest of the message, which seriously changes the nature of the transaction.
5. Fake servers can easily cheat in basic authentication. When a user actually links to a malicious server or gateway, the user can trust that the user is connected to a legitimate host protected by basic authentication, and the attacker can request the user to enter the password.
6. By default, anonymous authentication is enabled for sites in IIS and can be accessed directly.

Basic Authentication instance

1. By default, anonymous authentication is enabled for sites in IIS and can be accessed directly.

 

 

2. Disable Anonymous Authentication, enable basic authentication, and enter the user name and password for direct access.

3. Simulate the basic authentication process on the client

The console simulation code is as follows:

Using system; using system. collections. generic; using system. io; using system. LINQ; using system. net; using system. text; using system. threading. tasks; namespace consoleapplication_httpsec {class program {static void main (string [] ARGs) {httpwebrequest request = (httpwebrequest) httpwebrequest. create (New uri ("http: // localhost"); Request. method = "get"; webresponse response = NULL; try {response = request. getresponse ();} catch (webexception ex) {console. writeline ("Access exception, exception information:" + ex. message); console. writeline ("the query response header returned by the exception information is:"); foreach (string key in ex. response. headers. keys) {console. writeline ("" + key + ":" + ex. response. headers [Key]);} console. writeline ("add authorization authentication header and resend request"); httpwebrequest request2 = (httpwebrequest) httpwebrequest. create (New uri ("http: // localhost"); request2.method = "get"; request2.headers. add ("Authorization", "Basic" + convert. tobase64string (encoding. utf8.getbytes ("Administrator: [email protected]"); try {response = request2.getresponse ();} catch (webexception ex2) {console. writeline ("an exception occurred when adding the authorization authentication header and resending the request:" + ex2.message); console. read (); return;} stream = response. getresponsestream (); system. io. streamreader reader = new streamreader (Stream); string content = reader. readtoend (); console. writeline ("The Request Response content is as follows"); console. writeline (content);} console. read ();}}}

　　

 

HTTP Basic Authentication