ch12: Basic Authentication

12.基本认证机制

1. Authentication

Authentication means showing some proof of your identity.

1.1 HTTP's Challenge/Response Authentication Framework

1.2 Authentication Protocols and Headers

HTTP defines two official authentication protocols: basic authentication and digest authentication.

Four phase of authentication:

Phase	Headers
Request
Challenge	401 WWW-Authenticate
Authentication	Authentication
Success	Authentication-Info

Basic authentication example:

1.3 Security Realms

Web servers group protected documents into security realms.

Each security realm can have different sets of authorized users.

2. Basic Authentication

Basic authentication is the most prevalent HTTP authentication protocol.

Just username and password.

2.1 Basic Authentication Example

Figure 12.2 shows a detailed example of basic authentication.

Basic authentication headers:

Challenge/Response	Header syntax
Challenge (server to client)	WWW-Authenticate: Basic realm=quoted-realm
Response (client to server)	Authorization: Basic base64-username-and-password

2.2 Base-64 Username/Password Encoding

HTTP basic authentication packs the username and password together (separated by a colon), and encodes them using the base-64 encoding method.

2.3 Proxy Authentication

Proxy servers can be a convenient way to provide unified access control across an organization's resources.

The first step in this process is to establish the identity via proxy authentication.

Web server versus proxy authentication:

Web server	Proxy server
Unauthorized status code: 401	Unauthorized status code: 407
WWW-Authenticate	Proxy-Authenticate
Authorization	Proxy-Authorization
Authentication-Info	Proxy-Authentication-Info

3. The Security Flaws of Basic Authentication

Basic authentication is simple and convenient, but it is not secure.

3.1 Username and password can be decoded

Given a base 64-encoded username and password, the decoding can be performed trivially by reversing the encoding process.

3.2 Replay attacks

No effort is made to prevent these replay attacks.

3.3 Social behavior makes it dangerous

Even if basic authentication is used for noncritical applications, social behavior makes this dangerous.

Many users use the same password among many web sites.

3.4 Middlemen

Basic authentication offers no protection against proxies or intermediaries that act as middlemen.

3.5 Vulenrable to spoofing by counterfeit servers

If a user can be led to believe that he is connection to a valid host protected by basic authentication when, in fact, he is connecting to a hostile server or gateway, the attacker can request a password, store it for later use, and feign an error.