Post on 17-Dec-2015
1
Basic Authentication
Herng-Yow Chen
2
Outline Explains HTTP authentication Delve into the most common form of
HTTP authentication, basic authentication.
The next lecture explains a more powerful techniques called digest authentication.
3
Authentication
Authentication means showing some proof of your identification, actually some proof that you claim to be.
HTTP provides a native challenges / response framework to make it easy to authenticate users.
4
Simplified challenge/response Authentication
serverclient
InternetRequestPlease give me the internal sales forecast.
serverclient
InternetChallenge
You requested a secretFinancial document.Pleasetell me your username and password
serverclient
InternetAuthorization
Please give me the internal sales forecast.Here is my username andPassword:”******”
serverclient
InternetSuccess
OK.You have access right.Here is the document.
(Ask user for password)
5
Authentication Protocols and Headers
Phase Header Method/Status
Request GET
Challenge WWW-Authenticate 401 Unauthorized
Authorization Authorization GET
Success Authorization-Info * 200 OK
Four phases of authentication
If the secret credentials don’t match, the server can challenge the client again or generate an error.
6
Basic authentication example
serverclientGET /family/jeff.jpg HTTP/1.0
HTTP/1.0 401 Authorization requiredWWW-Authenticate: Basic realm=“Family”
GET /family/jeff.jpg HTTP/1.0Authenticate: Basic Ydre3lkL56H7gdffvh
HTTP/1.0 200 OKContent-type: img/jpeg…<image data included>
(a)
(b)
(c)
(d)
7
Security realms in a web server
server
/
Jeff.jpg brian.jpg
familyIndex.htmlcorporate
financialspress
pr1.html pr2.html Sales-forecast.xls
Family realm
Corporate financials realm
8
Basic authentication headers
Challenge/Response
Header
Challenge (server to client)
WWW-Authenticate: Basic realm=Quoted-realm
Response (client to server)
Authorization: Basic base64-username-and-password
9
Base-64 Username/Password Encoding
username
passwd!(a) Prompt for username and password
(b) Pack username and password with colon
(c) Base 64 encode
(d) Send authorization
Brian-tootyOw! Brian-tooty:Ow!
BASE64ENC(brian-totty:Ow!) YnJpYW4tdG90Hk6T3ch
serverclient
GET /family/jeff.jpg HTTP/1.0Authorization: Basic YnJpYW4tdG90Hk6T3ch
10
Base-64 Encoding
Takes a sequence of 8-bit bytes and segments the bit streams into 6-bit chunks.
Base-64 alphabet 64 alphabets: A-Z, a-z, 0-9, +, /
The 65th alphabet = for padding http://www.freesoft.org/CIE/RFC/2065
/56.htm http://tw2.php.net/base64_encode
11
Proxy authentication
Authentication also can be done by intermediary proxy servers.
Some organizations use proxy server to authenticate users before letting them access servers, LANs, and wireless network.
Proxy servers can be a convenient way to provide unified access control across an organization’s resources, because access policies can be centrally administered on the proxy server.
The first step in this process is to establish the identify via proxy authentication.
12
Web server versus proxy authentication
Web server Proxy serverUnauthorized status code:401
Unauthorized status code:407
WWW-Authenticate Proxy-Authenticate
Authenticate Proxy-Authenticate
Authenticate-Info Proxy-Authenticate-Info
13
The security flaws of basic authentication
Base-64 encoding just obscures the username and password but encrypts them in a secure form.
14
For More Information
http://www.ietf.org/rfc/rfc2617.txt “HTTP Authentication: Basic and Digest
Access Authentication” http://www.ietf.org/rfc/rfc2616.txt
“Hypertext Transfer Protocol -- HTTP/1.1”