Webapi Interface Security Certification--http Summary Certification

Abstract access authentication is a method that the Web server can use to negotiate authentication information with the Web browser. It applies a hash function to the password before it is issued, which is more secure than the HTTP Basic authentication sent in clear text. Technically, Digest authentication is a MD5 cryptographic hash function application that uses random numbers to prevent password parsing. It uses the HTTP protocol.

First, the basic process of summary certification:

1. Client request (no authentication)

HTML code

get/dir/index.html http/1.0  host:localhost

2. Server response
The server returns a 401 unverified state, and returns www-authenticate information containing the value of the authentication method Digest,realm,qop,nonce,opaque . which
Digest: authentication method;
Realm: domain, domain parameter is mandatory, in all cross-examination must have, its purpose is to identify the SIP message confidential, in the SIP application, it is usually set as the SIP Proxy Server is responsible for the domain name;
Qop: Quality of protection, this parameter specifies which protection scheme the server supports, and the client can select one from the list. The value "auth" means only the identification, "auth-int" means the inspection, there are some integrity protection. To see a more detailed description, see RFC2617;
nonce: for a series of random values, in the following request will be used until the end of life after the server will refresh to generate a new nonce value;
Opaque: A data string that is opaque (not known to outsiders) and sent to the user in cross-examination.

HTML code

http/1.0 401Unauthorized SERVER:HTTPD/0.9Date:sun,TenApr2005  -: -: -GMT WWW-authenticate:digest realm="[email protected]", Qop="Auth,auth-int", Nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", Opaque="5ccc069c403ebaf9f0171e9517f40e41"

3. Client request (username "Mufasa", password "Circle of Life")
After the client receives the request, the hash operation is returned, and the authorization parameter
Where:Realm,nonce,qop is generated by the server;
URI: The URI that the client wants to access;
NC:"Current" counter, this is a 16 binary value, that is, the number of requests sent by the client (including the current request), these requests are used in the current request this "current" value. For example, for a given "current" value, in the first request of the response, the client sends "nc=00000001". The purpose of this indicator is to have the server keep a copy of this counter in order to detect duplicate requests. If the same value is seen two times, the request is repeated;
cnonce: This is an opaque string value that is provided by the client and is used by both the client and the server to avoid clear text. This allows both parties to identify each other and provide some protection for the integrity of the message;
response: This is a string computed by the user agent software to prove that the user knows the password.

HTML code

response calculation process: HA1=md5 (A1) =MD5 (username:realm:password)  if the Qop value is "auth" or unspecified, then HA2 is  HA2= MD5 (A2) =MD5 (method:digesturi)  if the Qop value is "auth-int", then HA2  isHA2 =md5 (A2) =MD5 (Method:digestURI:MD5 (entitybody))  If the Qop value is "auth" or "auth-int", the following calculation response:  response=MD5 (ha1:nonce: nonceCount:clientNonce:qop:HA2)  If Qop not specified, then the following calculation response:  response=md5 (HA1:nonce:HA2)  

Request Header:

HTML code

Get/dir/index.html http/1.0host:localhost authorization:digest username="Mufasa", Realm="[email protected]", Nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", the URI="/dir/index.html", Qop=Auth, NC=00000001, Cnonce="0a4f113b", Response="6629FAE49393A05397450978507C4EF1", Opaque="5ccc069c403ebaf9f0171e9517f40e41"  

4. Server response
When the server receives a digest response, it also recalculates the values of the parameters in the response, using the parameter values provided by the client and the password stored on the server. If the calculated result is the same as the received customer response value, the customer has proven that it knows the password, and thus the customer's authentication is passed.

HTML code

http/1.0 -OK  

Second, service-side verification

Writing a custom Message processor

Webapi Interface Security Certification--http Summary Certification