Digest access authentication
Https://en.wikipedia.org/wiki/Digest_access_authentication
Digest access authentication is one of the Agreed-upon methods a Web server can use to negotiate credentials, suc H as username or password, with a user ' s web browser. This can is used to confirm the identity of a user before sending sensitive information, such as online banking transactio N history. It applies a hash function to the username and password before sending them over the Network. In contrast, basic access authentication uses the easily reversible BASE64 encoding instead of encryption, making it non-s Ecure unless used in conjunction with SSL.
technically, Digest Authentication is a application of MD5 cryptographic hashing with usage of the nonce values to prevent re Play Attacks. It uses the HTTP Protocol.
Authentication
Https://en.wikipedia.org/wiki/Authentication
authentication (from Greek: α?θεντικ?ς authentikos , "real, genuine", Fromα?θ?ντης authentes , "author") is the act of confirming the truth of a attribute of a, and piece of data ( A datum) claimed true by an Entity. In contrast with identification which refers to the act of stating or otherwise indicating a claim purportedly attesting t o a person or Thing's identity, authentication is the process of actually confirming that Identity. It might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of A website with a digital certificate,[ 1] determining the age of an artifact by carbon dating, or ensuring that a product was what it packaging and labeling Clai M to Be. In other words, authentication often involves verifying the validity of least one form of Identification.
Certification is the process of determining Identity.
Identification (psychology)
Https://en.wikipedia.org/wiki/Identification_%28psychology%29
identification is a psychological process whereby the subject assimilates an aspect, property, or attribute of th e Other and was transformed, wholly or partially, by the model of the other Provides. It is by means of a series of identifications, the personality is constituted and specified. The roots of the concept can is found in Freud ' s writings. The three most prominent concepts of identification as described by Freud are:primary identification, narcissistic (secon Dary) identification and partial (secondary) Identification. [1]
While "in the psychoanalytic literature there are agreement that core meaning of identification are simple-to Be-like Or to become like another ", it had also been adjudged '" the most perplexing clinical/theoretical area "in Psychoanalysis '. [2]
Authorization
Https://en.wikipedia.org/wiki/Authorization
'Authorization' is the function of specifying access rights to resources related to information security and comp Uter security in general and to access control in Particular. More formally, ' to authorize ' is-define an access Policy. For example, human resources staff are normally authorized to access employee records and this policy is usually formalized As access control rules in a computer system. During operation, The system uses the access control rules to decide whether access requests from (authenticated) consumer s shall be approved (granted) or disapproved (rejected). Resources include individual files or an item ' s data, computer programs, computer devices and functionality provided by CO Mputer Applications. Examples of consumers is computer users, computer softwares and other Hardware on the Computer.
Authorization is the assignment of resources to different user roles prior to Authentication.
Digest message detailed
http://blog.csdn.net/andrewpj/article/details/45727853
Server verifies user identity
The server receives the Client's HTTP request (INVITE), and if the server requires digest authentication, it needs to generate a digest cross-examine (digest challenge), giving the client a 401 by response The unauthorized status is sent to the User.
Summary cross-examination as shown in the Www-authenticate header in Figure Ii:
The meanings of each parameter in the cross-examination are as Follows:
Realm: required, must be in all Cross-examination. It is the purpose of identifying the secret in the SIP Message. In Real-world applications, It is usually set to the domain name that the server is responsible for.
Nonce (current): required, This is the data string specified by the server, each time the server produces a digest cross-examination, this parameter is different (and the previous results will not be the same). A nonce is usually constructed from some data through a MD5 hash operation. Such data typically includes the time identifier and the Server's secret Phrase. Make sure that each nonce has a limited lifetime (I.E. it will expire after some time and will never be used in the Future) and is unique (that is, No other server can produce the same nonce).
Stale: not required, a flag that indicates that the Client's previous request was rejected due to its nonce value Expiration. If stale is true (case sensitive), the client may want to re-make the request with a new cryptographic response without bothering the user with a new user name and Password. Server-side only if the requested Nonce value is not valid, and the nonce corresponding to the digest (digest) is a legitimate case (that is, the client knows the correct username/password), in order to set stale to true Value. If stale is false or other non-true value, or its stale domain does not exist, the user name, password is illegal, and requires a new value to be Entered.
Opaque (not Transparent body): required, This is an opaque (not let outsiders know what it MEANS) data string, which is sent to the user in Cross-examination.
Algorithm (algorithm): not required, This is the algorithm used to compute the HASH. Only the MD5 algorithm is currently Supported.
Qop (quality of protection): required, This parameter specifies which protection scheme the server Supports. The client can select one from the List. The value "auth" means only the identification, "auth-int" means the inspection, there are some integrity Protection. To see a more detailed description, see RFC2617.
- Client Feedback User Identity
The client generates a generate digest response (digest Response) and sends it to the server again via HTTP request (INVITE (withink digest)).
The summary response is shown in the Authenticate header in Figure Iii:
Each parameter in the summary response has the following meanings:
- Username: No More Explaining.
- Realm: need to be consistent with the realm of server interrogation
Nonce: The client uses this "current" to generate a digest response (digest response), which needs to be consistent with the nonce that is carried in the server interrogation, so that the server receives the "current" content in a digest response. The server checks the validity of the "present" before it checks the other parts of the summary response.
thus, The nonce is essentially an identifier that ensures that the digest secret received is from a particular digest. It also limits the lifetime of the digest interrogation to prevent future replay attacks.
Qop: how the client chooses to protect it.
NC (current counter): This is a 16 binary value, that is, the number of requests sent by the client (including the current request), these requests are used in the current request this "current" Value. For example, for a given "current" value, in the first request of the response, the client sends "nc=00000001". The purpose of this indicator is to have the server keep a copy of this counter in order to detect duplicate Requests. If the same value is seen two times, the request is Repeated.
Response: This is a string computed by the user agent software to prove that the user knows the Password. For example, it can be generated using MD5 encryption via username, password, http method, uri, and nonce, qop, etc.
Cnonce: This is also an opaque string value that is provided by the client and used by both the client and the server to avoid clear Text. This allows both parties to verify the identity of each other and provide some protection for the integrity of the Message.
Uri: This parameter contains the URI that the client wants to Access.
- Server confirms that the user
Confirm that the user is composed mainly of two parts:
- Check the validity of the nonce
- Check the other information in the digest response, such as server can generate a response value based on the same algorithm as the client, and compare it to the response that is passed by the Clients.
Http://www.cnblogs.com/jcli/archive/2012/12/11/2812459.html
The digest process is the same as above, except that the challenge and digest have different generation Algorithms.
- In the browser request: http://localhost:8080/index.html
- The server returns the 401 (unauthentication) code, with a header containing challenge, in the following format: www-authenticate Digest realm= "Admin all", qop= "auth", nonce= " 1354760194666:4465c7b1921b6d769fd359e5152c453f ", opaque=" ee9c283e89afb63e7ff6e2c04c524807 "
- The browser adds MD5 encoded information to the request header to request the resource in 1 again, if the username is tomcat and the password is tomcat, the header information is generated: Authorization Digest username= "tomcat", realm= "Admin All ", nonce=" 1354760194666:4465c7b1921b6d769fd359e5152c453f ", uri="/web/index.html ", response=" 8d30e6438636fe21c6045246dd034372 ", opaque=" ee9c283e89afb63e7ff6e2c04c524807 ", qop=auth, nc=00000001, cnonce=" 9201a828891792b9 "
- Request the resources in 1 again with the request header information computed in 3
- Server verifies user password legitimacy with the same algorithm (base64) in 3
- return Resources for Index.html
Linux installation Apache httpd configuration Digest
Http://www.cnblogs.com/rainisic/archive/2012/05/23/Linux_Apache2_4_Install.html
Installing Apache under Linux 2.4
http://blog.jobbole.com/41519/
Step 1: Create a password file
Grammar:
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 15px ! important; z-index: 0; opacity: 0;" readonly="" data-settings="dblclick">htdiget [-c] Passwordfile Realm Username/usr/local/apache/bin>/htdigest-c/data/www/auth/digest/"digest Encrypt "lengwaadding password for Lengwa in realm" Digest Encrypt ". New Password:re-type New Password:</textarea>
123456 |
htdiget [-C] passwordfile Realm username /usr/local/apache/bin > . /htdigest -c /data/ www/auth/digest/ "digest Encrypt" Span class= "crayon-h" > lengwa Adding password for lengwa in realm "Digest Encrypt" . New password: Re-type new password: |
-c = Create File
General add do not use the-c option because it overwrites existing Files.
Set file ownership and permissions (root can read and write, Apache Group can Only)
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 15px ! important; z-index: 0; opacity: 0;" readonly="" data-settings="dblclick">/data/www/auth/digest/> ls-l-rw-r-----1 root httpd ... user.txt</textarea>
12 |
/data/www/auth/digest/ > ls -l -rw-r----- 1 root httpd . . user. TXT |
User.txt format: lengwa:digest encrypt:d95ea4412b0fb517b25c4c46f32e5a2b
Step2: Configuring httpd.conf
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 15px ! important; z-index: 1; opacity: 1; height: 145px;" readonly="" data-settings="dblclick"><directory "/data/www/auth/digest" > Options Indexes followsymlinks authtype Digest authname "digest ENC Rypt "//note that the authname here must be the same as the above realm (while basic validation can be different). Otherwise you cannot enter the correct user password to pass the authentication Authdigestprovider file Authuserfile/data/www/auth/digest/user.txt require Valid-user</di Rectory></textarea>
12345678 |
<Directory "/data/www/auth/digest"> Options Indexes followsymlinks authtype Digest authname "Digest Encrypt" //note that the authname here and the realm above must be the same (and basic validation can be different). otherwise you enter the correct user password Unable to pass certification authdigestprovider file authuserfile /data/www/auth/digest/user. TXT require valid-user </Directory> |
Now the verification environment based on Digest is set up.
Note: in Basic Validation. I used The. htaccess and I didn't use it in digest Verification. Just for the personal needs. You can configure them to suit your needs.
http://liwei521930.blog.163.com/blog/static/515217082010112462152253/
There are so library dependencies, configuration httpd.conf
Digest authentication relies on cookie to identify the client
http://itangqi.me/2016/04/07/the-notes-of-learning-illustrating-http-three/
Forms-based authentication requires that a cookie be relied upon to identify the user in the client, into:
Relying on cookie to identify the client is a limitation, whether Digest authentication can avoid this limitation?
Analysis Digest authentication, in which the nonce seems to be used as a session id, such as the Nonce.
The principle is feasible, but after grasping packet analysis, the nonce value is not logged in, each access url, the nonce value of the response is changed, if the nonce as session id, then not logged in when the attack access scene, set up a lot of sessions, resulting in the background of the Gray is easily full.
Cookie SID as the session Id:
1, the separation of authentication and speech, the responsibility is clear. The Authentication method digest form basic and is only responsible for Authentication. The session is also managed by a cookie Sid.
2, the use of cookies to identify users, will not produce the above description, the session is not access to the message attack, resulting in a full situation.
First-time nonce:
Second Nonce:
Experiment
Access resources for the first time:
Second access to resources, like nonce, but authorization information response different:
HTTP Login Digest Authentication related knowledge