HTTP Authentication: Basic and Digest Access Authentication

1. HTTP Authentication: Basic and Digest Access Authentication rfc 2617

2. Contents • Access Authentication Framework • Basic Access Authentication • Digest Access Authentication • Specification of Digest Headers • WWW-Authentication header • Authorization Request header • Authentication-Info header • Digest Operation • Example

3. Access Authentication Framework • Simple challenge-response authentication mechanism • Token – user identifying information • Realm directive – protection space • Credential • Checksum & Hash

4. Basic Access Authentication • Authentication with user ID/password • Cleartext based mechanism • No encryption method

5. Digest Access Authentication • 목적 • BAA의 취약점을 보완(flaws of cleartext) • No message encryption • Overall Operation • Simple challenge-response paradigm • Challenge use nonce value • Response contains a checksum • Default, MD5 • Username, password, given nonce value, HTTP method, requested URI

6. Specification of Digest Headers • WWW-Authentication header • 서버가 access-protected object에 대한 request를 수신했을 때, acceptable Authorization header가 없을 경우, 전송 • Authorization Request header • 서버로부터 WWW-Authentication header를 수신한 후 다시 access를 요청하기 위해 전송 • Authentication-Info header • 성공적인 인증을 위해 서버에 의해 전송되는 정보

7. WWW-Authentication header 1/3 challenge = "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ opaque ] |[ stale ] | [ algorithm ] | [ qop-options ] | [auth-param] ) domain = "domain" "=" <"> URI ( 1*SP URI ) <"> URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token ) qop-options = "qop" "=" <"> 1#qop-value <"> qop-value = "auth" | "auth-int" | token

8. WWW-Authentication header 2/3 • Realm • 인증될 사용자의 name, password • Nonce • Server-specified data string • Uniquely generated at 401 response is made • Base64 or hexadecimal data recommended • Implementation dependent • Opaque to client • Opaque • 서버에서 생성된 값 • 클라이언트의 Authorization header에 그대로 포함되어 돌아옴 • Base64 or hexadecimal data recommended • Stale • Previous request의 nonce값이 잘못되어 있음을 나타냄 • TRUE – nonce값이 잘못되었을 경우 (username/password는 정상이라 판단) • FALSE, TRUE와 다른 값, stale directive가 없는 경우 – username/password가 비정상

9. WWW-Authentication header 3/3 • Algorithm • Digest와 checksum에 쓰인 알고리즘 • Default, MD5 • KD(secret, data) • Data를 secret을 이용해 digest한 문장 • H(data) • Data에 checksum 알고리즘을 적용해 얻은 문장 • Example (MD5) • H(data) = MD5(data) • KD(secret, data) = H(concat(secret, “:”, data)) • Qop-options • Option 필드(back compatibility) • Quoted string • Quality of protection • Example • “Auth”– authentication • “Auth-int”– authentication with integrity protection • Auth-param • For extension

10. Authorization Request header 1/2 credentials = "Digest" digest-response digest-response = 1#( username | realm | nonce | digest-uri | response | [ algorithm ] | [cnonce] | [opaque] | [message-qop] | [nonce-count] | [auth-param] ) username = "username" "=" username-value username-value = quoted-string digest-uri = "uri" "=" digest-uri-value digest-uri-value = request-uri ; As specified by HTTP/1.1 message-qop = "qop" "=" qop-value cnonce = "cnonce" "=" cnonce-value cnonce-value = nonce-value nonce-count = "nc" "=" nc-value nc-value = 8LHEX response = "response" "=" request-digest request-digest = <"> 32LHEX <"> LHEX = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f"

11. Authorization Request header 2/2 • Opaque/algorithm • WWW-Authentication header의 값 • Response • 32 hex digits의 계산된 결과 • 사용자가 password를 알고 있음을 증명 • Username • Realm에서의 username • Qop • Quality of protection • Optional field (backward compatibility) • Request-digest에 영향 • WWW-Authentication header에 명시되었을 경우, 반드시 포함 • Cnonce • WWW-Authentication에 qop가 있는지에 따라 포함여부 결정 • Plaintext attack을 방지하기 위한 목적 • Nonce-count • WWW-Authentication에 qop가 있는지에 따라 포함여부 결정 • 동일 nonce를 이용한 request의 가능한 회수를 지정 • Replay attack을 방지하기 위한 목적 • Auth-param • For extension • Request-digest • rfc 참조

12. Authentication-Info header AuthenticationInfo = "Authentication-Info" ":" auth-info auth-info = 1#(nextnonce | [ message-qop ] | [ response-auth ] | [ cnonce ] | [nonce-count] ) nextnonce = "nextnonce" "=" nonce-value response-auth = "rspauth" "=" response-digest response-digest = <"> *LHEX <"> • Nextnonce • 다음 challenge 시 이용하거나 또는 nonce를 변경하기 위한 필드 • 명시된 경우, 다음 request 시 Authorization header를 생성할 때 이용 • Message-qop • Quality of protection • 명시된 경우, 반드시 필요함

13. Digest Operation • Authorization Request Header로부터 Username에 해당하는 password를 이용해 클라이언트와 동일한 알고리즘을 적용하여 얻은 결과를 Request-digest 값과 비교 • H(A1)을 알고 있으면 cleartext password를 몰라도 가능 • H(A1) = H(unq(username-value) “:” unq(realm-value) “:” password) • Example • Username=“Mufasa” • Realm=myhost@testrelam.com • Password=“Circle Of Life” • H(A1)=H(Mufasa:myhost@testrealm.com:Circle Of Life) • Session • WWW-Authentication challenge를 수신하는 시간 간격 동안 유지

14. Example • Environmental parameters • URI-http://www.nowhare.org/dir/index.html • Username –“Mafasa” • Password –“Circle Of Life” • Operation 1. Client request 2. No Authorization header is sent, server responds with 3. Client responds with a new request, including Authorization header