Web Authentication mode: Basic & Digest

I. HTTP Basic

After the client connects the user name and password with ":", the ciphertext is sent to the server by BASE64 encryption via the authorization request header, and each request needs to be sent repeatedly. The Basic authentication process is simple and the security is low, and there are many other security issues that reveal personal account information . The following is a schematic demonstration only and does not represent the actual situation:

1. The client requests data from the server:

   get/http/1.1
   Host:www.myrealm.com

2. The server sends a validation request to the client 401:

   http/1.1 401 Unauthorised
   server:bfe/1.0.8.18
   Www-authenticate:basic realm= "Myrealm.com"
   content-type:text/html; Charset=utf-8

3. After the client receives a 401 return value, a login window will automatically pop up waiting for the user to enter the user name and password
4. The "User name: Password" is BASE64 encrypted and sent to the service side for verification:

   get/http/1.1
   Host:www.myrealm.com
   Authorization:basic xxxxxxxxxxxxxxxxxxxxxxxxxxxx

5. The service side takes out the authorization request header information to decrypt, and compares with the user database to judge whether the legality, the legal will return the OK, as to whether sends Authentication-info the head is optional

1<?PHP2   if(!isset($_server[' Php_auth_user '])) {3     Header(' Www-authenticate:basic realm= ' My Realm ');4     Header(' http/1.0 401 Unauthorized ');5     Echo' Text to send if user hits Cancel button ';6     Exit;7}Else {8     Echo"<p>hello {$_server[' Php_auth_user ']}. </p> ";9     Echo"<p>you entered {$_server[' PHP_AUTH_PW ']} As your password.</p> ";Ten}

Two. Digest Certification

Digest certification is designed to address many of the flaws in basic certification, and user passwords are a key element throughout the certification process.

　　Digest Authentication Header example sent to the server and the meaning of each field : ThePHP Official document sent Www-authenticate header between the fields with a space, under Chrome will not pop up the authentication dialog box, should be replaced by "," or " , "

Www-authenticate:digest realm= "Restricted area", qop= "Auth,auth-int", nonce= "58e8e52922398", opaque= " Cdce8a5c95a1427d74df7acbf41c9ce0 ", algorithm=" MD5 "

• www-authenticate: Authentication Header sent by the server
• Qop: Quality assurance, the list of authentication algorithms that are used in the summary challenge to inform the client service side of the support, and its value can be auth or auth-int,auth-int contains integrity checks for entity principals, Qop undefined defaults to auth
• nonce: A one-time random number generated by the server for client-side acknowledgement by the server to prevent replay attacks. RFC2617 recommends using this random number formula: Nonce = BASE64 (Time-stamp MD5 (time-stamp ":" ETag ":" Private-key) ", the server can determine the validity of this nonce,ETag (The entity Tag of the URL, in CGI programming usually need to generate the ETag and identification, to indicate whether the URL object is changed, distinguish between different languages, sessions, cookies, etc.) can prevent the updated resource version (not updated invalid, therefore need to consider time freshness) Replay request , Private-key is private to the server
• Opaque: This is an opaque (not let outsiders know the meaning) data string, sent to the client in cross-examination, the client will send the data string back to the server. If you need to maintain some state between the server and the client, you can use this parameter to transfer the status to the client.
• algorithm: Abstract algorithm, currently supports only MD5

　　The Digest Authentication Header instance sent by the client and the meaning of each field are explained:

Authorization:digest username= "Somename", realm= "Restricted area", nonce= "58e8e52922398", uri= "/t.php", response= " 9c839dde909d270bc5b901c7f80f77d5 ", opaque=" Cdce8a5c95a1427d74df7acbf41c9ce0 ", qop=" auth ", nc=00000001, cnonce=" 9c30405c3a67a259 "

• cnonce: A one-time random number generated by the client for client acknowledgement of the server
• NC: Allows the server to detect duplicate requests by maintaining the number of requests. If the same NC is present in two requests, then the two requests are repeated requests. therefore, in addition to the Nonce, NC is the last guarantee for preventing replay attacks .
• authorization-info: (slightly, here contains nextnonce, Rspauth response summary, etc.)

　　The following is the algorithm description:

2. H (v1) = MD5 (v1), V1 MD5 encoded
4. KD (v1, v2) = MD5 (v1:v2) V1 encode v2 and MD5 with a colon ":" After connection
6. A1 represents a block of data containing security information, a1= (user):(realm):(password)
8. QoP (Protection quality), set protection for data that does not contain security information, Optional: Auth, Auth-int
10. A2 represents a block of data that does not contain security information, as determined by the Qop value:

    A) Qop=auth or undefined, a2= (request-method): (uri-directive-value) b) Qop=auth-int, a2= (Request-method): ( Uri-directive-value): H ((Entity-body))

12. Old Digest algorithm: compatible with RFC2069, when no qop option is used

    KD (H (A1), (nonce): H (A2)) = MD5 (MD5 (A1): (nonce): MD5 (A2)) = MD5 (MD5 (user): (realm): (password)): (nonce): MD5 ((requ Est-method): (Uri-directive-value)))

14. New Digest algorithm: The new summarization algorithm is the recommended method, which includes the support of random number calculation and symmetric authentication. As long as Qop is auth or auth-int, use this method

    KD (H (A1), (nonce): (NC): (cnonce): (QOP): H (A2)) = MD5 (MD5 (A1): (nonce): (NC): (cnonce): (QOP): MD5 (A2)) = MD5 (MD5 ( (user): (realm): (password)): (nonce): (NC): (cnonce): (QOP): MD5 ((Request-method): (uri-directive-value): MD5 ((E ntity-body))))

Web Authentication mode: Basic & Digest