Asp: Digest Authentication (digest Authentication)

Asp. NET permission Authentication series

Asp: Forms Authentication

Asp: HTTP Basic Authentication (http Base)

NET rights authentication: Windows authentication

Asp: Digest Authentication (digest Authentication)

First, The origin of the summary certification

Abstract authentication is the improvement of the basic authentication, that is, the use of abstract instead of account password, so as to prevent the disclosure of account password in plaintext transmission

Prior to the summary certification is not very familiar with, but also thanks to the circle of Parry contribution blog: asp. netWeb API (iii): Use Digest authentication for security validation (digest Authentication)

I feel really good, let me go a lot less detours. This article is mainly on the above cited article explanation, the old driver can Skip.

The usual, the work flow chart of the certification

Look at the figure may know the summary certification steps

1, the client request resource api/employees, the project is click the Details button

2, after the data is submitted, the service side checks the authorization information in the headers, the null value returns 401, the prompt needs authentication, the authentication format is digest, and also returns the realm, the nonce, the Qop these several parameter values

2.1, the value of realm can be arbitrary; a nonce is a random number, usually a guid-formatted string that needs to be returned in the background; there are three types of qop: no definition (I.E. null value), auth, Auth-int

2.2, the background processing process:

2.3. the message header information returned is This:

http/1.1 401 Unauthorized
Www-authenticate:digest
Realm= "realmofbadri"
qop= "auth"
Nonce= "75d1c31e6d3b28f100edac595a53cf96"

3, the client after receiving feedback, know that the resource needs authorization to access; so start typing username, password

Here's a place to be aware that the project by default is the account name password consistent to verify through, see the Code

Click Sign in to view data from the background

Look at the picture to know

realm, qop, Nonce is the last value generated by the server

Username is the page we entered

URI is the address the client wants to request

nc, Cnonce is the client auto-generated value

Response is the final summary message to be delivered and is the client-generated

Did you find something wrong? Where's the code?

In fact, This is the essence of Digest authentication, do not send plaintext password, only send summary information

Some students may want to ask, do not transfer the password, the server how to know that the input user name is the current operating user?

Then we'll have to get a summary of the information, let's see how to generate summary information

A hash operation is performed on (username:realm:password) to get HA1

Hash operation (method Name: request path), i.e. (get:http://localhost:32934/api/employees), get HA2

Finally get summary information response = Pair (HA1:nonce:nc:cnonce:qop:HA2) for hash operation

4, analysis of the front end, we see how the server to resolve these parameters

In fact, the work of the server is based on the client side of the realm, qop, nonce, username, uri, nc, cnonce Hash Run to get new summary information RESPONSE2

How to compare the Response2 with the client generated response, if consistent, the certification passed; inconsistent, continue to return 401

The main thing is this section of code processing

Because for the server side HA1:nonce:nc:cnonce:qop:HA2 in addition to HA1 in the password not get from the client, all the other parameters have been

So the core of summary certification Is:

For clients: I know the user name and password and (some authentication constraints, realm, qop, nonce, etc.) to get encrypted information response

For the server: I know the user name and (some authentication constraints, that is realm, qop, nonce, etc.), and then according to the user name to the database to find the User's password, thereby obtaining the encrypted information RESPONSE2

Finally compare response:response2, if the client entered the password and database according to the user name found the same password, it will certainly be able to pass the Certification.

Finally need to remind everyone of the place, this user password can be inconsistent with the account login password, can be divided into 2 fields; you can understand: username + authentication Password

Because the authentication password even if the encryption must be reversible, or the background can not match

All right, knock it off!

Asp: Digest Authentication (digest Authentication)