1

Basic Authentication

Herng-Yow Chen

2

Outline Explains HTTP authentication Delve into the most common form of

HTTP authentication, basic authentication.

The next lecture explains a more powerful techniques called digest authentication.

3

Authentication

Authentication means showing some proof of your identification, actually some proof that you claim to be.

HTTP provides a native challenges / response framework to make it easy to authenticate users.

4

Simplified challenge/response Authentication

serverclient

InternetRequestPlease give me the internal sales forecast.

serverclient

InternetChallenge

You requested a secretFinancial document.Pleasetell me your username and password

serverclient

InternetAuthorization

Please give me the internal sales forecast.Here is my username andPassword:”******”

serverclient

InternetSuccess

OK.You have access right.Here is the document.

(Ask user for password)

5

Authentication Protocols and Headers

Phase Header Method/Status

Request GET

Challenge WWW-Authenticate 401 Unauthorized

Authorization Authorization GET

Success Authorization-Info * 200 OK

Four phases of authentication

If the secret credentials don’t match, the server can challenge the client again or generate an error.

6

Basic authentication example

serverclientGET /family/jeff.jpg HTTP/1.0

HTTP/1.0 401 Authorization requiredWWW-Authenticate: Basic realm=“Family”

GET /family/jeff.jpg HTTP/1.0Authenticate: Basic Ydre3lkL56H7gdffvh

HTTP/1.0 200 OKContent-type: img/jpeg…<image data included>

(a)

(b)

(c)

(d)

7

Security realms in a web server

server

/

Jeff.jpg brian.jpg

familyIndex.htmlcorporate

financialspress

pr1.html pr2.html Sales-forecast.xls

Family realm

Corporate financials realm

8

Basic authentication headers

Challenge/Response

Header

Challenge (server to client)

WWW-Authenticate: Basic realm=Quoted-realm

Response (client to server)

Authorization: Basic base64-username-and-password

9

Base-64 Username/Password Encoding

username

passwd!(a) Prompt for username and password

(b) Pack username and password with colon

(c) Base 64 encode

(d) Send authorization

Brian-tootyOw! Brian-tooty:Ow!

BASE64ENC(brian-totty:Ow!) YnJpYW4tdG90Hk6T3ch

serverclient

GET /family/jeff.jpg HTTP/1.0Authorization: Basic YnJpYW4tdG90Hk6T3ch

10

Base-64 Encoding

Takes a sequence of 8-bit bytes and segments the bit streams into 6-bit chunks.

Base-64 alphabet 64 alphabets: A-Z, a-z, 0-9, +, /

The 65th alphabet = for padding http://www.freesoft.org/CIE/RFC/2065

/56.htm http://tw2.php.net/base64_encode

11

Proxy authentication

Authentication also can be done by intermediary proxy servers.

Some organizations use proxy server to authenticate users before letting them access servers, LANs, and wireless network.

Proxy servers can be a convenient way to provide unified access control across an organization’s resources, because access policies can be centrally administered on the proxy server.

The first step in this process is to establish the identify via proxy authentication.

12

Web server versus proxy authentication

Web server Proxy serverUnauthorized status code:401

Unauthorized status code:407

WWW-Authenticate Proxy-Authenticate

Authenticate Proxy-Authenticate

Authenticate-Info Proxy-Authenticate-Info

13

The security flaws of basic authentication

Base-64 encoding just obscures the username and password but encrypts them in a secure form.

14

For More Information

http://www.ietf.org/rfc/rfc2617.txt “HTTP Authentication: Basic and Digest

Access Authentication” http://www.ietf.org/rfc/rfc2616.txt

“Hypertext Transfer Protocol -- HTTP/1.1”