ch12: Basic Authentication
1. Authentication
Authentication means showing some proof of your identity.
1.1 HTTP's Challenge/Response Authentication Framework
1.2 Authentication Protocols and Headers
HTTP defines two official authentication protocols: basic authentication and digest authentication.
Four phase of authentication:
Phase | Headers |
Request | |
Challenge | 401 WWW-Authenticate |
Authentication | Authentication |
Success | Authentication-Info |
Basic authentication example:
1.3 Security Realms
Web servers group protected documents into security realms.
Each security realm can have different sets of authorized users.
2. Basic Authentication
Basic authentication is the most prevalent HTTP authentication protocol.
Just username and password.
2.1 Basic Authentication Example
Figure 12.2 shows a detailed example of basic authentication.
Basic authentication headers:
Challenge/Response | Header syntax |
Challenge (server to client) |
|
Response (client to server) |
|
2.2 Base-64 Username/Password Encoding
HTTP basic authentication packs the username and password together (separated by a colon), and encodes them using the base-64 encoding method.
2.3 Proxy Authentication
Proxy servers can be a convenient way to provide unified access control across an organization's resources.
The first step in this process is to establish the identity via proxy authentication.
Web server versus proxy authentication:
Web server | Proxy server |
Unauthorized status code: 401 | Unauthorized status code: 407 |
WWW-Authenticate | Proxy-Authenticate |
Authorization | Proxy-Authorization |
Authentication-Info | Proxy-Authentication-Info |
3. The Security Flaws of Basic Authentication
Basic authentication is simple and convenient, but it is not secure.
3.1 Username and password can be decoded
Given a base 64-encoded username and password, the decoding can be performed trivially by reversing the encoding process.
3.2 Replay attacks
No effort is made to prevent these replay attacks.
3.3 Social behavior makes it dangerous
Even if basic authentication is used for noncritical applications, social behavior makes this dangerous.
Many users use the same password among many web sites.
3.4 Middlemen
Basic authentication offers no protection against proxies or intermediaries that act as middlemen.
3.5 Vulenrable to spoofing by counterfeit servers
If a user can be led to believe that he is connection to a valid host protected by basic authentication when, in fact, he is connecting to a hostile server or gateway, the attacker can request a password, store it for later use, and feign an error.
Last updated