210 likes | 526 Views
http Web Authentication. Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login prompt. There are two types of authentication: Basic and Digest. How Basic Authentication Works. GET /protected/index.html HTTP/1.1.
E N D
http Web Authentication • Web authentication is used to verify a users identity before allowing access to certain web pages • On web browsers you get a login prompt • There are two types of authentication: Basic and Digest
How Basic Authentication Works GET /protected/index.html HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“Private” Display Login panel GET /protected/index.html HTTP/1.1 Authorization: Basic JAadf0987awe
Problems with Basic Authentication • Passwords are easy to intercept • Passwords are trivial to decrypt • Once you have the password you have access to many documents
How Digest Authentication Works GET /protected/index.html HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm=“Private” nonce=“897sgkjhsadAdsiu” Display Login panel GET /protected/index.html HTTP/1.1 Authorization: Digest username=“Alice” realm=“Private” nonce=“897sgkjhsadAdsiu” response=“5ijasd9734kuyasds0g”
Challenge and Response • Challenge (nonce): any changing string • E.g. MD5(IP address:timestamp:server secret) • Response: challenge hashed with the user’s name & password and uri of requested page • MD5(MD5(name:realm:password):nonce:MD5(request)) • Server-specific implementation options • One time nonce • Time-stamped nonce
Digest Advantage over Basic • Password is not transmitted in a way that can be decrypted • Can’t replay the client/server handshake because the nonce changes each time • The intercepted response is valid only for a single web page because the response has the request hashed. • Disadvantages • Few web browser supports it • Shared disadvantages • The document itself can be sniffed!!!
Secure Socket Layer (ssl) • The secure socket layer sandwiches itself between the transport layer and the application layer in the OSI model • The ssl provides: • data encryption • Can the message be snooped? • server authentication • Is the machine your connected to the REAL server? • message integrity • Was the message manipulated between you and the server? • Optionally client authentication (seldom used) • Is the server sending data to a machine that should get the data?
“Are you Bob?” {“Are you Bob?”} Bobs-private-key Decrypt Bob’s Public Key Problem: It’s never a good idea to encrypt anything someone sent you with your private key
“Are you Bob?” hash {“Are you Bob?”} {hash} Bobs-private-key “Are you Bob?” Decrypt Bob’s Public Key hash {“Are you Bob?”} & compare This method is know as a digital signature Problem: Bob is still encrypting something sent to him
Are you bob? Alice, this is bob (random) hash {Alice, this is bob} {hash} Bobs-private-key Decrypt {hash} Bob’s Public key hash {Alice, this is bob} compare Problem: Any one can be Bob. Where did Alice get Bob’s public key?
Certificates • A certificate is a way of sending public keys to end users and assure they actually belong to the sender • They contain • Issuer’s name • Info about the identity for whom the certificate has been signed • Public key of the sender • Some time stamps • A certificate is signed by a certificate authority • Verasign, thwarty, … • Web browsers have the public keys of the certificate authority pre-installed. • So, when a new certificate comes and it can be decrypted with a certificate authorities key, it can be assumed that the certificate authority guarantees the public key of the sender
Hi Hi, I’m bob, bob’s certificate Prove it Decrypt {hash} Bob’s Public key hash {Alice, this is bob} compare Alice, this is bob hash {Alice, this is bob} {hash} Bobs-private-key Ok bob, Here’s a secret {secret} bob’s public key Decrypt {secret} Bob’s private key {Some message, hash{message}} Secret-key Decrypt {message,hash} hash {message} Compare hashs
Advantages of SSL • Confidential session • Server authentication • GUI clues for users • Built into most browsers • Easy to configure on the server • Protocol has been analyzed extensively
Disadvantages of SSL • Users don’t check certificates • Most don’t know what they even mean • Too easy to obtain a certificate • Default settings are terrible • Ssl version 2 in on • Totally insecure ciphers are included in the browsers • Very little use of client-side certificates • Performance hit to the server