http web authentication
Download
Skip this Video
Download Presentation
http Web Authentication

Loading in 2 Seconds...

play fullscreen
1 / 14

http Web Authentication - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

http Web Authentication. Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login prompt. There are two types of authentication: Basic and Digest. How Basic Authentication Works. GET /protected/index.html HTTP/1.1.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' http Web Authentication' - blue


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
http web authentication
http Web Authentication
  • Web authentication is used to verify a users identity before allowing access to certain web pages
  • On web browsers you get a login prompt
  • There are two types of authentication: Basic and Digest
how basic authentication works
How Basic Authentication Works

GET /protected/index.html HTTP/1.1

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Private”

Display

Login panel

GET /protected/index.html HTTP/1.1

Authorization: Basic JAadf0987awe

problems with basic authentication
Problems with Basic Authentication
  • Passwords are easy to intercept
  • Passwords are trivial to decrypt
  • Once you have the password you have access to many documents
how digest authentication works
How Digest Authentication Works

GET /protected/index.html HTTP/1.1

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Digest realm=“Private”

nonce=“897sgkjhsadAdsiu”

Display

Login panel

GET /protected/index.html HTTP/1.1

Authorization: Digest username=“Alice”

realm=“Private” nonce=“897sgkjhsadAdsiu”

response=“5ijasd9734kuyasds0g”

challenge and response
Challenge and Response
  • Challenge (nonce): any changing string
    • E.g. MD5(IP address:timestamp:server secret)
  • Response: challenge hashed with the user’s name & password and uri of requested page
    • MD5(MD5(name:realm:password):nonce:MD5(request))
  • Server-specific implementation options
    • One time nonce
    • Time-stamped nonce
digest advantage over basic
Digest Advantage over Basic
  • Password is not transmitted in a way that can be decrypted
  • Can’t replay the client/server handshake because the nonce changes each time
  • The intercepted response is valid only for a single web page because the response has the request hashed.
  • Disadvantages
    • Few web browser supports it
  • Shared disadvantages
    • The document itself can be sniffed!!!
secure socket layer ssl
Secure Socket Layer (ssl)
  • The secure socket layer sandwiches itself between the transport layer and the application layer in the OSI model
  • The ssl provides:
    • data encryption
      • Can the message be snooped?
    • server authentication
      • Is the machine your connected to the REAL server?
    • message integrity
      • Was the message manipulated between you and the server?
    • Optionally client authentication (seldom used)
      • Is the server sending data to a machine that should get the data?
slide8

“Are you Bob?”

{“Are you Bob?”}

Bobs-private-key

Decrypt

Bob’s Public Key

Problem:

It’s never a good idea to encrypt anything someone sent you

with your private key

slide9

“Are you Bob?”

hash {“Are you Bob?”}

{hash} Bobs-private-key

“Are you Bob?”

Decrypt

Bob’s Public Key

hash {“Are you Bob?”}

& compare

This method is know as a digital signature

Problem:

Bob is still encrypting something sent to him

slide10

Are you bob?

Alice, this is bob (random)

hash {Alice, this is bob}

{hash} Bobs-private-key

Decrypt {hash}

Bob’s Public key

hash {Alice, this is bob}

compare

Problem:

Any one can be Bob. Where did Alice get Bob’s public key?

certificates
Certificates
  • A certificate is a way of sending public keys to end users and assure they actually belong to the sender
  • They contain
    • Issuer’s name
    • Info about the identity for whom the certificate has been signed
    • Public key of the sender
    • Some time stamps
  • A certificate is signed by a certificate authority
    • Verasign, thwarty, …
  • Web browsers have the public keys of the certificate authority pre-installed.
  • So, when a new certificate comes and it can be decrypted with a certificate authorities key, it can be assumed that the certificate authority guarantees the public key of the sender
slide12

Hi

Hi, I’m bob,

bob’s certificate

Prove it

Decrypt {hash}

Bob’s Public key

hash {Alice, this is bob}

compare

Alice, this is bob

hash {Alice, this is bob}

{hash} Bobs-private-key

Ok bob, Here’s a secret

{secret} bob’s public key

Decrypt {secret}

Bob’s private key

{Some message,

hash{message}}

Secret-key

Decrypt {message,hash}

hash {message}

Compare hashs

advantages of ssl
Advantages of SSL
  • Confidential session
  • Server authentication
  • GUI clues for users
  • Built into most browsers
  • Easy to configure on the server
  • Protocol has been analyzed extensively
disadvantages of ssl
Disadvantages of SSL
  • Users don’t check certificates
    • Most don’t know what they even mean
  • Too easy to obtain a certificate
  • Default settings are terrible
    • Ssl version 2 in on
    • Totally insecure ciphers are included in the browsers
  • Very little use of client-side certificates
  • Performance hit to the server
ad