Digest Authentication
advertisement
SY306 Web and Databases for Cyber Operations SlideSet #18: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html Outline • HTTP Basic Authentication • HTTP Digest Authentication HTTP Authentication Client Authentication? Server Basic Authentication Demo Basic Authentication • Client GET /secret.html HTTP/1.0 • Server HTTP/1.1 401 Access Denied WWW-Authenticate: Basic realm=“secret files“ Content-Length: 0 • Client GET /secret.html HTTP/1.0 Authorization: Basic dXNlcjpwYXNzd29yZA== • Notes: How to set up Basic Authentication • Have mod_auth_basic enabled on web server • Create password file (not on web accessible path) htpasswd –c myfile myuser • Configure server to ask for credentials Ex. In .htaccess AuthType Basic AuthName myrealm AuthBasicProvider file AuthUserFile myfile Require valid-user http://httpd.apache.org/docs/2.2/howto/auth.html Lab Exercise • • ssh into mich316csdYYu YY between 01 and 20 Create password file basicUsers.txt in your home dir (not web accessible) for your user mXXXXXX htpasswd –c basicUsers.txt mXXXXXX • • • From Windows or Unix: Create new folder BasicSecret in your public_html folder Copy starter.html in BasicSecret Create .htaccess file in BasicSecret with content AuthType Basic AuthName "Restricted files for basic" AuthBasicProvider file AuthUserFile /home/mids/mXXXXXX/basicUsers.txt Require valid-user • In browser: http://zee.academy.usna.edu/~mXXXXXX/BasicSecret/starter.html • Might need to change permissions for basicUsers.txt – in Unix setfacl –m u:www-data:rx basicUsers.txt Base64 Encoding • Encoding binary to text (NOT encryption) • Use 64 characters (6 bits needed to represent each symbol) • To encode user:password – – – – – Concatenate ASCII binary representation for each character If nb of bytes not multiple of 3, add one or two all-zero bytes Separate each 3 8-bits (byte) block in 4 6-bits blocks Translate each 6-bit block to the Base64 character If the 6-bit block was all from the padding, translate to = http://en.wikipedia.org/wiki/Base64 ASCII table: http://www.rapidtables.com/code/text/ascii-table.htm ICE: Decode c3kzMDY6dGVzdA== Digest Authentication • Similar with basic authentication BUT • Passwords are not sent in plain (base64) text • Based on challenge-response authentication – Uses MD5 hash Digest Authentication – Part 1 • Client GET /secret.html HTTP/1.0 • Server HTTP/1.1 401 Access Denied WWW-Authenticate: Digest realm="Restricted", nonce=“SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", algorithm=MD5, qop="auth" Content-Length: 0 Digest Authentication – Part 2 • Client GET /secret.html HTTP/1.0 Authorization: Digest username=“johnny", realm="Restricted", nonce="SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", uri="/secret.html", algorithm=MD5, response="ffd5ebb687c6198ef663e43b25a32d0e", qop=auth, nc=00000001, cnonce="80ddead374b429b7“ Pros: Cons: How to set up Digest Authentication • Have mod_auth_digest enabled on web server • Create password file (not on web accessible path) htdigest –c myfile myrealm myuser • Configure server to ask for credentials Ex. In .htaccess AuthType Digest AuthName myrealm AuthDigestProvider file AuthUserFile myfile Require valid-user http://httpd.apache.org/docs/2.2/howto/auth.html Other types of authentication • • • • NTLM Authentication Certificates Authentication Integrated Windows Authentication Form-based authentication
