HTTP identification, authentication and security

identification, authentication and security

Chapter 4 of the third section provides a range of technologies and machines that can be used to track identities, conduct security checks, and control access to content.

Client identification and cookie mechanism chapter 11th

HTTP is initially an anonymous, stateless request/response protocol. The server processes the request from the client and then sends a response back to the client. There is little information on the Web server that can be used to determine which user sent the request, or to log the request sequence of the visiting user.

User identification mechanism

• HTTP header that hosts user identity information
• Client IP address tracking, which is identified by the user's IP address
• User Login, authentication method to identify users
• A fat URL, a technique for embedding identifying information in a URL
• Cookies, a powerful and efficient persistent identity recognition technology

HTTP Header

The following table shows 7 common HTTP request headers that are used to host user-related information. The following 3 headers are the request headers for the extension type.

Header name	Description
From	User's e-mail address
User-agent	User's browser software
Referer	Users from this page to follow the link to jump over
Authorization	User name and password
Client-ip	IP address of the client
X-forwarded-for	IP address of the client
Cookies	ID label generated by the server

User Login

To make it easier to sign in to a Web site, HTTP contains a built-in mechanism for WWW-Authenticate Authorization transmitting user-related information to a Web site with headers and headers. Once logged in, the browser can continuously send this login message to every request sent to this site.

Disadvantage: Confidentiality is not strong, can not cross the site, different sites need to re-enter the account password.

Fat URL

You can bundle several separate HTTP transactions on the server into a single "session" or "access" through a rich URL. The first time a user accesses this web site, a unique ID is generated, added to the URL in a way that the server can recognize, and the server will then re-orient the client to the Fat URL.

Problem:
-Ugly URLs
-Unable to share URL
-Destroy Cache
-Additional server load
-Escape Port
-Non-persistent between sessions

Cookies

Cookies are the best way to identify a user and implement a persistent session. Originally developed by Netscape, but now all the major browsers support him.

Types of cookies

Can be broadly categorized as: Session cookies and persistent cookies. The only difference between a session cookie and a persistent cookie is their expiration time. DiscardThis cookie is a session cookie if the parameter is set or if there is no setting Expires or Max-Age parameter to describe the extended expiration time.

Different sites use different cookies

Domain properties for cookies
The server that generated the cookie can Set-Cookie add a domain property to the response header to control which sites are open to see that cookie.

Set-cookie: user="wilson";domain="wilsonliu.cn"

Any site that the user accesses that ends with wilsonliu.cn will say this cookie is published.

Path properties for cookies
The cookie specification even allows users to associate cookies with some Web sites. This can be accomplished through the Path property.

Setyear="21";domain="wilsonliu.cn";path=/year/

This cookie will only be published when the site is under/year/.

Cookie Ingredient Cookie version 0 (Netscape)

Set-cookie Header
-Name=value
-Expires
-Domain
-Path
-Secure

Cookie Header
When a client sends a request, all non-expired cookies that match the domain, path, and security filter are sent to the site.

Cookie version 1 (RFC 2965)

Set-cookie2
-Name = Value
-Version
-Comment
-Commenturl
-Discard
-Domain
-Max-age
-Path
-Port
-Secure

Cookie Header
Version 1 cookies bring back additional information related to each cookie that is transmitted to the filter that describes each cookie pathway. Each matching cookie must contain all the Domain,port and path attributes from the corresponding SET-COOKIE2 header.

Basic Certification Mechanism Chapter 12th

Basic Certification Challenge Header

HTTP/1.0 401 UnauthorizedWWW-AuthenticateBasic realm=quoted-realm

Response header (transmitted via Base64 encoding)

Authorization:Basic base64-username-and-password

Summary Certification 13th Chapter

Basic authentication is convenient and flexible, but extremely unsafe. The user name and password are transmitted in plaintext, and no action is taken to prevent tampering with the message. The only way to safely use Basic authentication is to use it in conjunction with SSL.

Digest authentication is compatible with basic authentication. But it's more secure.

The improvement of the summary certification

• Never send a password on the network in clear text
• Prevents malicious users from capturing and replaying certified handshake processes
• Can selectively prevent tampering with the contents of the message
• Guard against several other common ways of attacking

Protect passwords with a digest

The maxim followed by Digest authentication is "Never send a password over the network." Instead of sending a password, the client sends a "thumbprint" or a "digest" of the password, which is the non-reversible scrambling code for the password.

One-way Summary

The abstract is "enrichment of the information subject". Abstract is a one-way function that is mainly used to convert an infinite input value into a finite concentrated output value. A common digest function, MD5, converts a sequence of bytes of any length into a 128-bit digest.
Digest functions are sometimes referred to as cryptographic checksums, one-way hash functions, or fingerprint functions.

Prevent replay attacks with random numbers

Using a one-way digest eliminates the need to send the password in clear text, and there is no easy way for users to decode the original password from the digest.

However, simply hiding the password does not avoid danger, because even if you do not know the password, you can intercept the digest and replay it to the server. The digest is as good as the password.

To prevent the occurrence of such replay attacks, the server can send a special token called a random number (nonce) to the client, which changes frequently (probably every millisecond, or every time the authentication is changed). The client appends this random number token to the password before calculating the digest.

Calculation of Abstracts

The core of abstract authentication is the single summary of the combination of public information, confidential information and time-limited random values.

Data

1. Security-related data (A1)-Packages containing user names, passwords, protected domains, and random numbers
2. Message-related data (A2)-such as URLs, request methods, and message entities-A2 help prevent methods, resources, or messages from being tampered with

Pre-authorization

In the normal authentication mode, each request has a request/challenge loop before the transaction ends.
If the client knows in advance what the next random number is, it can cancel the request/Challenge loop.

• The server pre-sends the next random number in the Authentication-info success header
• The server allows the same random number to be used for a short period of time
• Client and server use synchronous, predictable random number generation algorithms

Practical issues to be considered

• Multi-Challenge
• Error handling
• Protecting space
• Rewrite URI
• Cache

Security Considerations

• Header tampering
• Replay attack
• Multiple authentication mechanisms
• Dictionary attacks
• Malicious agent attacks and intermediate attacks.
• Select Clear Text attack
• Store password

Secure HTTP Chapter 14th protection of HTTP security

• Server Authentication
• Client Authentication
• Integrity
• Encryption
• Efficiency
• Universality
• Management scalability
• Adaptability
• The viability of the society

HTTPS

HTTPS is the most popular form of HTTP security, pioneered by Netscape, and all major browsers and servers support this protocol.
When using HTTPS, all HTTP request and response data is encrypted before it is sent to the network. HTTPS provides a transport-level password security layer below HTTP-SSL can be used, and subsequent relays can be used, Transport Layer Security ( Transport Layer Security,TLS ).

Most of the difficult coding and decoding work is done in the SSL library, so the Web client and server do not need to modify the protocol processing logic too much when using secure HTTP. In most cases, you only need to replace the call of TCP with the SSL input/Output call, and then add a few other calls to configure and manage the security information.

Digital encryption

• Passwords encode text to make it impossible for a peeping person to recognize an algorithm
• Digital parameters for changing password behavior of keys
• Symmetric key encryption system coding/decoding algorithm using the same key
• Asymmetric key encryption system coding/decoding algorithm using different keys
• Public key encryption system a system that enables millions of of computers to easily send confidential messages
• A digital signature used to verify that a message has not been falsified or tampered with.
• Digital certificates are authenticated and signed by a trusted organization

Password

Cryptography is based on a secret code called a password ( cipher ). Password is a set of coding scheme-a special message encoding method and a later use of the corresponding decoding method of the binding body. The original message before encryption is often referred to as clear text ( plaintext或cleartext ). Encoded messages that use a password are often referred to as ciphertext ( ciphertext ).

Password to use the key

Both the encoding algorithm and the coding machine are likely to fall into the hands of the enemy, so there are some disk numbers on most machines that can be set to a number of different values to change how the password works. These password parameters are called keys ( key ), and the decryption process is performed correctly in order to enter the correct key in the cipher machine.

Symmetric key Encryption technology

The key value used when encoding is the same as decoding, which is the symmetric key ( symmetric-key ).

It is important to keep the secret state of the key, and in many cases the codec/decode algorithm is well known, so the key is the only thing that is confidential. A good encryption algorithm will force an attacker to try every possible key to crack the code. Using brute force to try all key values is called enumeration attack ( enumeration attack ). The number of available keys depends on the number of bits in the key, and how many of the possible keys are valid.

One of the drawbacks of symmetric key cryptography is that the sender and the recipient must have a shared secret key before they talk to each other. Each pair of communication entities requires their own private key. If there are N nodes, each node will have a secure conversation with all other n-1 nodes, which requires a total of n squared secret keys, which would be a management nightmare.

Public Key encryption technology

The public key uses 2 asymmetric keys: one to encode the host message and the other to decode the host message. The encoding key is well known, but only if the host knows the private decryption key.
The common challenge for all public-key asymmetric encryption systems is to ensure that even if someone has all of the following clues, the secret private key cannot be computed:

• Public key
• A small piece of ciphertext intercepted (can be obtained by sniffing the network)
• A message and the ciphertext associated with it (can be obtained by running an encryption device on any piece of text)

Hybrid encryption system and session key

Secure communication is established between the two nodes through convenient public key encryption technology, and then the secure channel is used to generate and send a temporary symmetric key to encrypt the rest of the data through faster symmetric encryption techniques.

Digital signatures

In addition to the Add/decrypt message, the message can be signed with an encryption system ( sign ) to indicate who wrote the message and that the message has not been tampered with. This technique is called digital signature ( digital signing ).

1. The client extracts the variable-length message into a fixed-length digest
2. The client has applied a "signature" function to the digest, which takes the user's private key as an argument. Because only the user knows the private key, the correct signature function indicates that the signer is the owner.
3. Once the signature is computed, the client attaches it to the end of the message and sends the message and signature to the other party.
4. On the receiving side, the signature is checked with a public key, and if it does not match, it is tampered with.

Benefits of using digital signatures
1. Signature can be verified that the author has written this message, only the author will have the most confidential private key, so only the author can calculate the checksum. The checksum is like a personal "signature" from the author.
2. The signature prevents the message from being tampered with, and if a malicious attacker modifies the message during transmission, the checksum is no longer matched. Because the checksum is only generated by the author's Secret private key, the attacker is unable to forge the correct checksum for the tampered message.

Digital certificates

A digital certificate contains information about a user or company that is guaranteed by a trusted organization. Digital certificates are digitally issued by the official "certification authority".
After a secure Web transaction is established over HTTPS, the modern browser automatically obtains the digital certificate of the connected server. If the server does not have a certificate, the secure connection fails. When the browser receives the certificate, it checks the signature authority.

https--Detail Introduction

HTTPS combines the HTTP protocol with a powerful set of symmetric, asymmetric, and certificate-based encryption technologies that make HTTPS not only secure, but also flexible and easy to manage on a fragmented, decentralized, global Internet.

When a client executes a transaction on a Web resource, he checks the scheme of the URL, and if the URL scheme is HTTPS, the client opens a connection to server port 443 (instead of the traditional HTTP default 80 port) and then SSL "handshake" with the server, Exchange some SSL security parameters with the server in binary format and attach the encrypted HTTP command.

Validity of site certificates

1. Date detection
2. Signature Issuer Confidence Detection
3. Signature detection
4. Site Identity Detection

Transport of secure traffic through a proxy in tunnel form

Clients typically use Web proxy servers to access Web servers on their behalf. But as long as the client begins to encrypt the data sent to the server with the server's public key, the agent can no longer read the HTTP header! There is no way to know where the request should be diverted.
To enable HTTPS to work with the agent, you can use the HTTPS SSL Tunneling protocol. Using the HTTPS tunneling protocol, the client first tells the broker that it wants to connect to the secure host and port. This is communicated in clear text before the encryption is started.

HTTP identification, authentication and security