Friday, May 23, 2014

HTTP The Definitive Guide (Basic Authentication)

Basic Authentication
Authentication
HTTP’s Challenge/Response Authentication Framework

Authentication Protocols and Headers
HTTP defines two official authentication protocols: basic authentication and digest authentication.


Security Realms
Web servers group protected documents into security realms. Each security realm can have different sets of authorized users.
A realm should have a descriptive string name, like “Corporate Financials,” to help the user understand which username and password to use. It may also be useful to list the server hostname in the realm name--for example, “executive-committee@bigcompany.com”.

Basic Authentication
The HTTP basic authentication WWW-Authenticate and Authorization headers are summarized in Table 12-2.

Base-64 Username/Password Encoding
In a nutshell, base-64 encoding takes a sequence of 8-bit bytes and breaks the sequence of bits into 6-bit chunks. Each 6-bit piece is used to pick a character in a special 64-character alphabet, consisting mostly of letters and numbers.


Proxy Authentication
Authentication also can be done by intermediary proxy servers.
The Security Flaws of Basic Authentication
Consider the following security flaws:

  • Basic authentication sends the username and password across the network in a form that can trivially be decoded.
  • Even if the secret password were encoded in a scheme that was more complicated to decode, a third party could still capture the garbled username and password and replay the garbled information to origin servers over and over again to gain access. No effort is made to prevent these replay attacks.
  • Even if basic authentication is used for noncritical applications, such as corporate intranet access control or personalized content, social behavior makes this dangerous.
  • Basic authentication offers no protection against proxies or intermediaries that act as middlemen, leaving authentication headers intact but modifying the rest of the message to dramatically change the nature of the transaction.
  • Basic authentication is vulnerable to spoofing by counterfeit servers.














































No comments:

Post a Comment