Http Authentication (BASIC, DIGEST)

Http authentication .... BASIC:

In the context of an HTTP transaction, Basic access authentication are a method for a Web browser or other client Program to provide a user name and password when making a request. [1]

Before transmission, the user name is appended with a colon and concatenated with the password. The resulting string is encoded with the BASE64 algorithm. For example, given the user name 'Aladdin' and password 'open sesame', the string 'aladdin:open Sesa Me' is Base64 encoded, resulting in 'qwxhzgrpbjpvcgvuihnlc2ftzq=='. The base64-encoded string is transmitted with the HTTP header and decoded by the receiver, resulting in the colon-separated User name and password string.

While encoding the user name and password with the BASE64 algorithm makes them unreadable to the unaided eye, they is as Easily decoded as they is encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-http-compatible characters, a May being in the user name or password in To those that is http-compatible.

One advantage of the basic access authentication is any Web browsers support it. Rarely it is used on publicly accessible Internet Web sites and may sometimes being used by small, private systems. A later mechanism, Digest access authentication, was developed in order to replace the basic access authentication and ENA BLE credentials to is passed in a relatively secure manner over an otherwise unsecure channel. Http authentication ..... DIGEST:

Digest access authentication is one of the Agreed-upon methods a Web server can use to negotiate credentials with A user ' s web browser. It uses encryption to send the password over the network, which are safer than the Basic access authentication that sends p Laintext.

Technically, Digest authentication is a application of MD5 cryptographic hashing with usage of the nonce values to discourage Cryptanalysis. It uses the HTTP protocol.

HTTP Digest authentication is designed to being more secure than traditional Digest authentication schemes. Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP basic access authentication. It isn't, however, intended to replace strong authentication protocols, such as Public-key or Kerberos authentication.

two authentication mechanisms for HTTP protocol (RFC2616) (Basic and Digest) SIP is similar to the HTTP protocol. The authentication mode is the same. The HTTP protocol (RFC 2616) provides the ability to useBasicMode and digest mode (Digest schema). RFC 2617 specifically provides for two types of authentication modes. RFC 1321 is the MD5 standard. Digest is not strong for modern password cracking, but much better than the basic model.  MD5 has been found by professors at Shandong University to counterfeit (my understanding), but it is still widely used. 1. The simplest way to attack If the site requires authentication, the client sends clear user name password, the network eavesdroppers can easily obtain the user name password, does not play a security role. I went to school in the University of Science and research labs in the local area network to eavesdrop on other people's Hkust bbs password, found that BBS user name password is actually transmitted in plaintext. The thief's guilty conscience and the excitement of being a thief made people excited and inexplicable. Stealing money will be morally condemned, and stealing people's passwords will only get carried away secretly. There is no sense of guilt than stealing a book. So your user name and password in plain text transmission, the same will be a piece of fat in front of the greedy people. Now many ASP website authentication all uses the user name and the password to encrypt with MD5. MD5 is a 16byte encrypted string that converts arbitrary-length strings and 128-bit random numeric operations. So the eavesdroppers caught a garbled mess. However, there is a problem: if the eavesdroppers use this mess to authenticate, or can be certified pass. Because the server will be the user name password MD5 encrypted string is that group garbled, naturally can not distinguish who is legitimate users. This is called replay attack (replay attack). This is similar to the Basic Authentication mode for HTTP. For the sake of safety, do not let others get something for nothing, naturally do basic precautions. The following are the two authentication modes specified by the HTTP protocol. 2. Basic Authentication Mode The client sends a request to the server, the server returns 401 (unauthorized) and requires authentication. The 401 message has a challenge message in the head. Realm is used to differentiate between parts that are certified differently. After the client receives 401, the user name password and challenge information is BASE64 encrypted to form a certificate, sent back to the server authentication. The syntax is as follows: Challenge = "Basic"Realm credentials = "Basic"Basic-credentials Example: Authentication head: www-authenticate:Basicrealm= "[email protected]" Certificate: Authorization:Basicqsdfgwghffuicanlc2ftzq== "Tiger. Nameless, formatted as authorization:Basicbase64 (Username:password) ... However, there is no definition of how to deal with realm information, simple processing, you can have a separate set of user:pass information for each realm. Further, you can walk MD5 abstracts, but these have gone beyond the standard and are not expected to be supported by browsers. " 3. Summary access authentication to prevent replay attacks, digest access authentication is used. After the customer sends the request, it receives a 401 (unauthorized) message that contains a challenge. There is a unique string in the message: nonce, each request is different. The customer encrypts the user name password and the challenge of the 401 message back together and passes it to the server. So even if there is eavesdropping, he can not pass every authentication, can not replay attacks. HTTP is not a secure protocol. Its contents are transmitted in plaintext. So don't expect HTTP to be more secure. The syntax is as follows: challenge = "Digest" Digest-challenge digest-challenge = # (Realm | [Domain] | nonce | [Opaque] | [Stale] | [Algorithm] | [Qop-options] | [Auth-param]) domain = "domain" = "<" > uri (1*sp uri) < "> URI = Absoluteuri | Abs_path nonce = "nonce" "=" Nonce-value Nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ("True" | "false") algorithm = "algorithm" "=" ("MD5" | "Md5-sess" | Token) qop-options = "Qop" "=" < "> 1#qop-value <" > qop-value = "Auth" | "Auth-int" | Token Realm: A string that lets customers know which user name and password to use. Different domains may not have the same password. At least tell the user what the host is doing, and he may be prompted to log in with which username, like an email. Domain : A list of URIs that indicate the domain to be protected. May be a list. Users are prompted to use the same authentication for these URIs. If empty or ignored, the entire server. nonce: Random string, each time 401 is different. is related to the algorithm. The algorithm is similar to BASE64 encryption: Time-stamp H (time-stamp ":" ETag ":" Private-key). Time-stamp for the server clock, ETag for the requested ETag header. Private-key a value that is known to the server. Opaque: The server is returned as it was requested by the client. It is best to Base64 string or hexadecimal strings. Auth-param: For extended use, ignore at this stage. For other domains, refer to RFC2617. Authorization Header Syntax: credentials = "Digest" Digest-response digest-response = # (username | realm | nonce | digest-uri | response | [Algorithm] | [Cnonce] | [Opaque] | [Message-qop] | [Nonce-count] | [Auth-param]) username = "username" "=" Username-value Username-value = quoted-string Digest-uri = "uri" "=" Digest-uri-value digest-uri-value = Request-uri; As specified by http/1.1 Message-qop = "Qop" "=" Qop-value cnonce = "cnonce" "=" Cnonce-value Cnonce-value = Nonce-value nonce-count = "NC" "=" Nc-value Nc-value = 8LHEX response = "response" "=" request-digest request-digest = < "> 32LHEX <" > Lhex = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "A" | "B" | "C" | "D" | "E" | "F" response: Password after encryption digest-uri: Copy request-line, for proxy cnonce: If the Qop setting is set, it is used for two-way authentication to prevent attack. Nonce-count: If the server sees the same count, it is a replay. Example: 401 Response: http/1.1 401 Unauthorized www-authenticate:digest realm= "[email protected]", qop= "Auth,auth-int", nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque= "5ccc069c403ebaf9f0171e9517f40e41" Request again: authorization:digest username= "Mufasa", realm= "[email protected]", nonce= "dcd98b7102dd2f0e8b11d0f600bfb0c093", uri= "/dir/index.html", Qop=auth, nc=00000001, cnonce= "0a4f113b", response= "6629fae49393a05397450978507c4ef1", opaque= "5ccc069c403ebaf9f0171e9517f40e41"

Http://blog.sina.com.cn/s/blog_721948c20100xw19.html

Http Authentication (BASIC, DIGEST)