Basic authentication of HTTP

Certification

Certification is to give some proof of identity. When you present a photo ID like a passport or driver's license, you give some evidence that you are the person you claim to be. When you enter a pin on an ATM, or enter a password in a dialog box on a computer system, you are proving that you are the person you are claiming to be.

Now, none of these strategies are absolutely effective. Passwords can be guessed or overheard, identity documents may be stolen or forged, but every piece of evidence helps to build a reasonable trust that you are the person you claim to be.

"HTTP Challenge/Response authentication Framework"

HTTP provides a native challenge/response (Challenge/response) framework that simplifies the authentication process for users. The authentication model for HTTP is as shown

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215211146011-1348439043. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

When the Web application receives an HTTP request message, the server does not perform the action as requested, but responds with a "certification challenge", asking the user to provide some confidential information to indicate who he is and to challenge it.

When the user initiates the request again, a confidential certificate (user name and password) is attached. If the certificate does not match, the server can challenge the client again, or produce an error message. If the certificate matches, the request can be completed normally

"Certification agreement and header"

HTTP provides a scalable framework for different authentication protocols through a customizable set of control headers. The header format and content listed in the following table vary depending on the authentication protocol. The authentication protocol is also specified in the HTTP Authentication Header

HTTP defines two official authentication protocols: Basic authentication and Digest authentication. In the future, people can design some new protocols that use the HTTP Challenge/Response framework.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215211555370-1663959419. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215211626698-971493866. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

For an example of basic authentication, as shown in

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215211713276-974407358. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

When the server challenges the user, it returns a 401 unauthorized response, and at the Www-authenticate header explains how and where to authenticate

When the client authorization server continues processing, the request is resent, but the encrypted password and some other authentication parameters are appended to the authorization header

When the authorization request completes successfully, the server returns a normal status code (for example, OK), and for the GAO Level Authentication algorithm, additional information may be appended to the Authentication-info header.

"Security Domain"

Before discussing the details of the Basic authentication, you need to explain how HTTP allows the server to use different access rights for different resources. (b) A realm directive was included in the www-authenticate question. The Web server organizes the protected documents into a secure domain (security realm). Each security domain can have a different set of authorized users

For example, suppose the Web server establishes two security domains: one for the company's financial information and the other for the personal home document. Different users have different access rights to each security domain. The company's CEO should be able to access sales forecasts, but should not allow him to access photos of employees and their families on vacation

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215212042948-1259718840. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

Here is an imaginary Basic authentication challenge, which specifies a domain:

http/1.0 401 Unauthorizedwww-authenticate:basic realm= "Corporate Financials"

The domain should have a descriptive character name, such as corporate Financials (company financial Information), to help users understand which user name and password to use. It is also helpful to list the server hostname in the name of the security domain-for example, [email protected]

Basic Certifications

Basic authentication is the most popular HTTP authentication protocol. Almost every major client and server implements the Basic authentication mechanism. The basic certification was originally presented in the http/1.0 specification, but has since been moved to RFC 2617, which details the authentication mechanism of HTTP

In Basic authentication, the Web server can deny a transaction, challenge the client, and ask the user to provide a valid user name and password. The server returns a 401 status code instead of a 200 status code to initialize the authentication challenge and specifies the security domain to access with the Www-authenticate response header. When the browser receives the challenge, a dialog box opens asking the user to enter the user name and password for the domain. Then the user name and password a little scrambling, and then with the authorization request header back to the server

"Basic Authentication Example"

Is a detailed example of Basic authentication

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215212656792-1710806957. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

In Figure A, the user requested a private family photo/family/jeff.jpg

In Figure B, the server sends back a 401 Authorization Required, a password challenge to a private family photo, and a www-authenticate header is also echoed. This first request is for basic authentication of the family domain

In Figure C, the browser receives a 401 challenge, a popup dialog asking for the user name and password for the family domain. When a user enters a user name and password, the browser connects it with a colon, encodes it as a "Base-64" representation of the "scrambling code" and then sends it back in the authorization header

In Figure D, the server decodes the user name and password, verifies its correctness, and then returns the requested message with an HTTP 0K message

The following table summarizes the www-authenticate and authorization headers for HTTP Basic authentication

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215212836058-1691287468. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

[note] The Basic authentication protocol does not use the Authentication-info header

"BASE-64 username/Password Code"

HTTP Basic Authentication Packages the user name and password (separated by colons) and encodes it with Base-64 encoding. Simply put, the Base-64 encoding divides a 8-bit byte sequence into some 6-bit blocks. Use each of the 6-bit blocks to select a character in a special 64-character alphabet that contains most of the letters and numbers

Shows a basic authentication instance that uses BASE-64 encoding. In this example, the user name is Brian-totty and the password is ow!. The browser joins the user name and password with a colon to generate a packaged string brian-totty:ow!. The string is then Base-64 encoded into a string of garbled characters: ynjpyw4tdg90dhk6t3ch

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215213213901-402645346. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

BASE-64 encoding can accept binary strings, text, and international character representations of data (some problems arise in some systems), temporarily converting them into an easy-to-transplant alphabet for transmission. The original string can then be decoded at the far end without the need to report a heart transmission error.

Some user names and passwords contain international characters or other characters that are illegal in the HTTP header (such as quotation marks, colons, and carriage returns), and Base-64 encoding is useful for these user names and passwords. Furthermore, the BASE-64 encoding disrupts the user name and password, which also prevents administrators from accidentally seeing the user name and password when administering the server and the network

"Agent Certification"

The intermediary proxy server can also implement the authentication function. Some organizations use a proxy server to authenticate users before they access a server, LAN, or wireless network. Access policies can be centrally managed on the proxy server. Therefore, it is a convenient way to provide unified access control for resources within an organization through a proxy server. The first step in this process is to identify the identity through proxy authentication (authentication)

The steps for agent authentication are the same as for Web server authentication. But the header and the status code are different. The following table lists the differences in status codes and headers used by Web servers and agents in authentication

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/740839/201612/740839-20161215213422933-1469028270. JPG "style=" border:none;margin-top:20px;margin-bottom:20px; "/>

Security flaws

Basic authentication is simple and convenient, but not safe. It can only be used to prevent unintended access by non-malicious users, or to use encryption techniques such as SSL

Basic authentication sends a user name and password over the network, both of which are represented in a form that is easily decoded. In fact, the password is transmitted in clear text and can be read and captured by anyone. Although Base-64 encoding hides usernames and passwords, it is unlikely that friendly users will inadvertently see the password while observing the network, but Base-64 encoded usernames and passwords can be easily decoded by the reverse encoding process, or even manually decoded in seconds by a paper pen. So the Base-64 encoded password is actually "plaintext" transmitted. If a motivated third-party user is likely to intercept the user name and password sent by the Basic authentication, it is necessary to send all HTTP transactions over the SSL encrypted channel, or use a more secure authentication protocol, such as Digest authentication

Even if the password is encrypted in a more difficult way, a third-party user can still capture the modified user name and password and replay the modified user name and password once to the original server to gain access to the server. There's no measure to prevent these replay attacks.

Even if you use Basic authentication for less important applications, such as access control for your corporate intranet or access to personalized content, some bad habits can make it dangerous. Many users will use the same user name and password between these services because they cannot receive a large number of password-protected services. For example, hackers will capture a clear text user name and password from a free Internet mail site, and then find the same user name and password to access important online banking sites

Basic authentication does not provide any protection against agents and intermediate nodes as intermediaries, they do not modify the authentication header, but modify the rest of the message, which seriously alters the nature of the transaction

Fake servers can easily cheat on basic certifications. If the user is actually connected to a malicious server or gateway, allowing the user to believe that he is connected to a legitimate host that is protected by Basic authentication, the attacker can request the user to enter a password, store it for future use, and then fabricate an error message to the user

All this means that in a friendly environment, or in an environment where privacy protection is not very necessary, basic authentication can be used to provide convenient document personalization services or access control protection. In this way, Basic authentication can be used to prevent some curious users from accidentally or accidentally accessing the document.

For example, within a company, product management may be password-protected for future product plans to prevent premature release of information. For the average user, Basic authentication is enough to make them feel uncomfortable and will not be able to access the data again. Similarly, passwords may be used to protect private photos or private sites that are not highly confidential or of little information value, and this information does not really matter to anyone else.

Using Basic authentication with encrypted data transfer (such as SSL) to hide the user name and password from a malicious user can make Basic authentication more secure. This is a common technique.

Basic authentication of HTTP