1 Authentication Difference (Access Authentication)
1.1 Dependent on HTTP / 1.1 specification (Reliance on the http / 1.1 specification)
This specification is used with the HTTP / 1.1 specification [2], which uses the HTTP / 1.1 documentation 2.1's supplemental feedback mode (Augment BNF) and relying on the definition of Non-Terminals and other aspects. description.
1.2 Access Authentication Framework (Access Authentication Framework)
HTTP provides a simple challenge - responding to the authentication mechanism, which may be used by the server to query the client request, or by the client to provide authentication information. The authorization scheme is identified with scalable, case sensitive symbols, followed by the certificate to demonstrate the required 'attribute-value' pairs required.
Auth-scheme = token
Auth-param = token "=" (token | quoted-string)
401 (unauthorized) response message is used by the original server to question the authorization of the user agent. This response must include a WWW-authentication header domain containing at least one request resource challenge. 407 (Requiring Agent) The response message is used to query the authorization of the client. Its proxy authentication header field must include at least one proxy (Proxy) to the requested resource.
Challenge = auth-scheme 1 * sp 1 # auth-param
Note: User Agent (Agent) parsed WWW-Authenticate or proxy - authentication (proxy-authenticate) of the title domain, when you encounter multiple challenge () or multiple WWW-authentication header domain, Be careful, because these question itself may contain a comma-separated differential pair.
Definition of Different Parameters Realm Use in all authentication schemes:
Realm = "realm" "=" realm-value
Realm-value = quoted-string
Franks, et al. Standards TRACK [Page 3]
Realm indicates (case sensitive) is used in all authentication schemes involving challenge. Realm value (case sensitive) To be used in combination with the absolute URI-ABSOLUTEURI of the 'root' URL of the Access Server (ie, the absolute path is an absolute URI-ABSOLUTEURI, see Section 5.1.2 [2]) to define protected The interval. These Realm parameters allow for dividing the protected resources on the server into several intervals, each interval has their own authentication schemes and / or authorized databases. The Realm value is a string, typically assigned by the original server, which may have additional syntax issues for certain authentication schemes. Note that there may be multiple challenges, auth-schemes, and different situations in Realm.
Typically, when the user agent (Agent) may (may not be authorized), it is possible (possibly) to wish the server to authorize it. If you want to be authorized, the user agent will join the Authorization request header (Authorization request header) in the request. The authorization domain value is composed of trust certificates, including authorization information on the user agent requesting resources. When the client receives 407 (requirement agent authentication), if you want to authenticate itself through the proxy, you can join the proxy-authorization request-header in the request. Authorized domain values and proxy authorization domain values are composed of trust, including the value of client authentication information Realm, requested resources. User Agent must use the strongest auth-scheme and user response to the request (CHALLEENGE) request trust. Credentials = auth-scheme # author-param
Note that many browsers only support basic programs, requiring it in the Auth-Scheme in the first bit. If the minimum satisfaction is provided, the server should only support the basic solution.
The protected area defines the area that will be automatically used automatically. If the earlier request has been certified, other requests can be accessed by the same trust within the time interval specified by the authorization scheme, parameters, and / or user selection, etc.. Unless the identification scheme has special specified, a single protection area cannot be extended to the range other than the server.
If the original server does not want to accept trust by sending requests, it should return 401 (unauthorized) response. The response must include a WWW-authentication header domain, and the domain is to include at least one (possibly a new) challenge (challenge) for the requested resource. If the agent (Proxy) does not accept the request to send trust, it should return 407 (requirement agent authentication) response. The response must include a proxy authenticate title domain, and the domain is to include at least one (probably new), the agent available, the requested resource.
Franks, et al. Standards TRACK [Page 4]
Access authentication of the HTTP protocol is not limited to this simple challenge response mechanism, and other methods, such as transport grade encryption or message packaging, and by additional title domains, etc.. However, these methods are not discussed in this document.
Proxy (Proxy) must completely transparently handle the identification of the original server to the user agent, that is, they must push the WWW-authentication and authorization title forward without any changes, this regulations See 14.8 of [2]. Proxy - Identification (WWW-Authenticate) and proxy - authorization (Proxy-Authorization) Title domain is a hop-by-hop title (see Section 13.5.1 of [2]).
2 basic authentication scheme (Basic Authentication Scheme)
The user agent must authorize itself through the user ID (User-ID) and password for each domain, which is the working mode of the basic authorization scheme. The REALM value should be considered as an opaque string that will be used to compare with other Realm values of the server. Only the user identifier and password pass through the authentication of the protected resource, the server will authorize the request. Authorized parameters have no options. For basic solutions, the application forms of the frames described above are as follows:
Challenge = "Basic" Realm
Credentials = "Basic" Basic-Credentials
When receiving unauthenticated resource requests for the protected area, the server should respond to a challenge, as follows:
WWW-Authenticate: Basic Realm = "WallyWorld"
"WallyWorld" is a string assigned by the server for identifying the protected resources specified by the request URI. The agent should also use the Proxy-Authenticate title domain to respond to the same question.
To receive authorization, the client needs to send a user ID and password in a certificate based on 64-bit (Base64 [5]), and the inner colon ':' is separated.
Basic-credentials = base64-user-pass
Base64-user-pass = Except Not Limited to 76 Char / Line> Franks, et al. Standards TRACK [Page 5] User-pass = userid ":" Password UserId = * Password = * text UserIDS may be sensitive. If the user agent wants to send the user identifies "ALADDIN" and password "Open SESAME", the following title domain is followed: Authorization: Basic Qwxhzgrpbjpvcgvuihnlc2ftzq == The client should assume that all other paths involved in the request URI are in the protection space specified by the basic realm value of the current challenge. When the client does not receive other challenges of the server, the authorization title corresponding to the spatial resource may be transmitted prioritized. Similarly, when the customer sends a request to the proxy (Proxy), it may also use the original Uerid and Password in the proxy authorization (Proxy-Authorization header domain before other challenges received by the proxy server. See Section 4 of [Safe Consideration] in Section 4 of [Safe Consideration]. 3 Classification Access Differential Scheme (Digest Access Authentication Scheme) 3.1 Introduction (Introduction) 3.1.1 Purpose (PURPOSE) "HTTP / 1.0" includes basic access authentication scheme (Basic Access Authentication Scheme [1]). This scheme is not a safe user identification method because its username and password are transmitted in a clear text on the network. This section provides a schedule specification that does not send passwords in a clear text, see "Classification Access Different". The Digest Access Authentication scheme is not the final solution for WWW security issues. The program does not provide the encryption of message content, its purpose just creates a simple authentication method to make up for most of the serious vulnerabilities in the basic identification scheme. 3.1.2 Operation Overview (Overalll Operation) And basic access identification, classification schemes are based on simple challenges - responding examples. Classification scheme uses a Nonce value to question (Challenge). The legal response contains the checksum of the username, password, given the Nonce value, HTTP method, request URI (Checksum, default is the checksum of MD5), and therefore, the password will not be transmitted in a clear manner. Some basic solutions require that the username and password are pre-arranged in advance (not in the scope of this article). Franks, et al. Standards TRACK [Page 6] 3.1.3 Classification value representation (Representation of Digest Values) An optional title allows the server to specify an algorithm used to create a checksum or classification. MD5 is the default method, and it is also the algorithm described herein. In this article, 128-bit MD5 classification is represented by 32 printable ASCII code characters. The bits in the 128-bit classification are high to low conversion by its importance, and at a certain time, every 4 bits can be expressed in the following ASCII. Each 4 bits can be used to indicate 16 BBCDEF ', that is, binary 0000 is represented by character' 0 '; 0001 is represented by character' 1 ', so that this is so pushed, 1111 is represented by' F '. 3.1.4 Limitations (Limitations) There are many known limitations in the classification identification scheme described herein, which is just an alternative to the basic identification scheme, in addition, there is no use. It is a password-based system that also faces problems existing in any other password system on the server side. This Agreement does not provide security practices for the initial user and the password between the server. Users and developers should pay attention to that this protocol is not as safe as Kerberos or any client private key scheme. However, even if it is nothing, it is always better than in telnet, FTP, and is certain, it is also safe than basic solutions. 3.2 Category Of Digest Headers (Specification Of Digest Headers) Classification Access Differential Schemes are similar to the basic solutions. Changed WWW-Identification Title Row and the format of the authorized header row is given below. In addition, there is a new title, namely Authentication-Info, is also specified below. Franks, et al. Standards TRACK [Page 7] 3.2.1 WWW-Differential response Title (The WWW-Authenticate Response Header) The server responds to the 401 (unauthorized) status code when receiving an accessed access request that is not authenticated by the protected object. In the classification scheme, the WWW-identification title should follow the following: Challenge = "Digest" Digest-Challenge Digest-challenge = 1 # (Realm | [DOMAIN] | NONCE | [Opaque] | [Stale] | [ALGORITHM] | [qop-options] | [auth-param]) Domain = "domain" = "<"> URI (1 * SP URI) <"> URI = Absoluteuri | ABS_PATH Nonce = "nonce" "=" Nonce-Value Nonce-value = quoted-string Opaque = "opaque" "=" quoted-string Stale = "stale" "=" ("true" | "false") Algorithm = "Algorithm" "=" ("MD5" | "MD5-sess" | Token QOP-Options = "QOP" = "<"> 1 # qop-value <"> QOP-value = "auth" | "auth-int" | token The above indicates the value as follows: Realm Shows the string to the user, so they know which username and password you use. The string should include at least one of the host names that perform authentication and additional instructions that may access user groups. E.g: Registered_users@gotham.news.com Domain Refers to the URI list separated by spaces in quotation marks (see the protected area defined in RFC Xuri [7]). If the URI is an absolute path, it is a URL of the accessed server 'root' (see section 1.2 above). The absolute URI in this list is used to access another different servers. The client can send the same authentication information to access the URI collection determined by this list: any URI, as long as it is prefixed in the list, it can be considered to point to the same protected area. If the client is ignored or null, the client should understand this, ie, the protection area consists of all URIs of the responder server. Franks, et al. Standards TRACK [Page 8] This indicates that the proxy - authenticate title is meaningless, because for them, the protected area is always the entire agent (Proxy), if it appears, it will be ignored. Nonce The data character specified by the server side should be created when each 401 response is generated. It is recommended that the character appears in a base64 or 16 enrollment. Alternatively, the character is transmitted in the quotation in the header row, so a dual quoter character is allowed. Its content is independent of implementation, and the quality of its implementation depends on a good choice. For example, Non can be constructed based on 64-bit encoding, as in the following example: Time-Stamp H: "ETAG": "private-key) As above, the timestamp is a time value or other non-repetition value generated by the server; ETAG is the value of the ETAG title associated with the request entity; private-key is only the value of only the server knows. When you encounter this form of Non, the server recalculates the hash portion after receiving the customer authentication title, and reject the request when the Nonce value does not match the title or its TIME-Stamp value is not new enough. In this way, the server side can limit the time range of NONCE legal. The contents of the ETAG will prevent repeated requests for the updated version of the resource. (Note: The IP address of the client includes the client will ask the server to reuse the Nonce value issued by the same customer. In fact, the request issued by a single user will cross multiple agents, which may result in interrupts of the process. In addition, IP addresses are also fake) some implementations may optionally do not accept NONCE or previously used categories to prevent replying attacks. Alternatively, it is also possible to select the previous nonce or classification (DiGest) and GET request TIME-STAMP. More detailed information, see section 4 of this article. NONCE is the client's opaque. Opaque The string specified by the server, the client cannot change it, and if the URI of the concurrent request, the information will be added to the server in the authorized title domain of these requests. Base64 or 16-based string is recommended. Franks, et al. Standards TRACK [Page 9] Stale A logo, is used to indicate that the client has been rejected due to its Nonce value expires. If Stale is true (case sensitive), the client may wish to re-request with new encryption, without troubleking users with new username and password. The server side only does not legal, and the Nonce corresponding classification (ie, the client knows the correct username / password) can be set to the TRUE value. If Stale is false or other non-TRUE value, or its Store domain does not exist, the user name, password is illegal, and the new value is required. Algorithm It is a string to indicate algorithms used to generate classification and checksum. If this domain is not specified, it is considered to be a "MD5" algorithm. If the algorithm specified by this domain cannot be understood, the challenge will be ignored. In this article, the classification algorithm is represented by Kd (Secret, Data), where DATA refers to data, Secret represents the method used. If the checksum algorithm is indicated, the DATA is to write to h (data); and UNQ (X) means Quotation marks with quotation marks are removed. For "MD5" and "MD5-SESS" algorithms: H (data) = md5 (data) with Kd (Secret, DATA) = H (Concat (Secret, ":", DATA) That is, the classification is the result of the SECRET with the DATA through the colon connection to the MD5 operation. The "MD5-SESS" algorithm allows other third-party servers to participate in identification. Differences of specific usage, see section 3.2.2.2. QOP-Options This representation is optional, used for backward compatibility of RFC 2069 [6]. It should be used by any implementation compatible with this classification scheme. If there is, it is a string composed of one or more characters with quotation marks to indicate the Quality of Protection value supported by the server. The "Auth" value represents the authentication method; "auth-int" represents the integrity of authentication protection; see the re-calculated response value of the application that has the selected application. The options that cannot be identified must be ignored. Franks, et al. Standards TRACK [Page 10]