Http web authentication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

http Web Authentication PowerPoint PPT Presentation


  • 66 Views
  • Uploaded on
  • Presentation posted in: General

http Web Authentication. Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login prompt. There are two types of authentication: Basic and Digest. How Basic Authentication Works. GET /protected/index.html HTTP/1.1.

Download Presentation

http Web Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Http web authentication

http Web Authentication

  • Web authentication is used to verify a users identity before allowing access to certain web pages

  • On web browsers you get a login prompt

  • There are two types of authentication: Basic and Digest


How basic authentication works

How Basic Authentication Works

GET /protected/index.html HTTP/1.1

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Private”

Display

Login panel

GET /protected/index.html HTTP/1.1

Authorization: Basic JAadf0987awe


Problems with basic authentication

Problems with Basic Authentication

  • Passwords are easy to intercept

  • Passwords are trivial to decrypt

  • Once you have the password you have access to many documents


How digest authentication works

How Digest Authentication Works

GET /protected/index.html HTTP/1.1

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Digest realm=“Private”

nonce=“897sgkjhsadAdsiu”

Display

Login panel

GET /protected/index.html HTTP/1.1

Authorization: Digest username=“Alice”

realm=“Private” nonce=“897sgkjhsadAdsiu”

response=“5ijasd9734kuyasds0g”


Challenge and response

Challenge and Response

  • Challenge (nonce): any changing string

    • E.g. MD5(IP address:timestamp:server secret)

  • Response: challenge hashed with the user’s name & password and uri of requested page

    • MD5(MD5(name:realm:password):nonce:MD5(request))

  • Server-specific implementation options

    • One time nonce

    • Time-stamped nonce


Digest advantage over basic

Digest Advantage over Basic

  • Password is not transmitted in a way that can be decrypted

  • Can’t replay the client/server handshake because the nonce changes each time

  • The intercepted response is valid only for a single web page because the response has the request hashed.

  • Disadvantages

    • Few web browser supports it

  • Shared disadvantages

    • The document itself can be sniffed!!!


Secure socket layer ssl

Secure Socket Layer (ssl)

  • The secure socket layer sandwiches itself between the transport layer and the application layer in the OSI model

  • The ssl provides:

    • data encryption

      • Can the message be snooped?

    • server authentication

      • Is the machine your connected to the REAL server?

    • message integrity

      • Was the message manipulated between you and the server?

    • Optionally client authentication (seldom used)

      • Is the server sending data to a machine that should get the data?


Http web authentication

“Are you Bob?”

{“Are you Bob?”}

Bobs-private-key

Decrypt

Bob’s Public Key

Problem:

It’s never a good idea to encrypt anything someone sent you

with your private key


Http web authentication

“Are you Bob?”

hash {“Are you Bob?”}

{hash} Bobs-private-key

“Are you Bob?”

Decrypt

Bob’s Public Key

hash {“Are you Bob?”}

& compare

This method is know as a digital signature

Problem:

Bob is still encrypting something sent to him


Http web authentication

Are you bob?

Alice, this is bob (random)

hash {Alice, this is bob}

{hash} Bobs-private-key

Decrypt {hash}

Bob’s Public key

hash {Alice, this is bob}

compare

Problem:

Any one can be Bob. Where did Alice get Bob’s public key?


Certificates

Certificates

  • A certificate is a way of sending public keys to end users and assure they actually belong to the sender

  • They contain

    • Issuer’s name

    • Info about the identity for whom the certificate has been signed

    • Public key of the sender

    • Some time stamps

  • A certificate is signed by a certificate authority

    • Verasign, thwarty, …

  • Web browsers have the public keys of the certificate authority pre-installed.

  • So, when a new certificate comes and it can be decrypted with a certificate authorities key, it can be assumed that the certificate authority guarantees the public key of the sender


Http web authentication

Hi

Hi, I’m bob,

bob’s certificate

Prove it

Decrypt {hash}

Bob’s Public key

hash {Alice, this is bob}

compare

Alice, this is bob

hash {Alice, this is bob}

{hash} Bobs-private-key

Ok bob, Here’s a secret

{secret} bob’s public key

Decrypt {secret}

Bob’s private key

{Some message,

hash{message}}

Secret-key

Decrypt {message,hash}

hash {message}

Compare hashs


Advantages of ssl

Advantages of SSL

  • Confidential session

  • Server authentication

  • GUI clues for users

  • Built into most browsers

  • Easy to configure on the server

  • Protocol has been analyzed extensively


Disadvantages of ssl

Disadvantages of SSL

  • Users don’t check certificates

    • Most don’t know what they even mean

  • Too easy to obtain a certificate

  • Default settings are terrible

    • Ssl version 2 in on

    • Totally insecure ciphers are included in the browsers

  • Very little use of client-side certificates

  • Performance hit to the server


  • Login