RFC2617- HTTP Authentication Self - translation - (1)

zhaozj2021-02-08  310

Network Working Group J. Franks

Request for Comments: 2617 Northwestern University

Obsoletes: 2069 P. Hallam-Baker

Category: Standards TRACK VERISIGN, INC.

J. Hostetler

Abisource, Inc.

S. lawrence

Agranat Systems, Inc.

P. Leach

Microsoft Corporation

A. Luotonen

Netscape Communications Corporation

L. STEWART

Open Market, Inc.

June 1999

HTTP Authentication: Basic and Digest Access Authentication

STATUS OF this Memo

This document tracks the discussion of the Internet community to improve the agreement. See the official document (STD1) for details. This article can be arbitrarily distributed.

Copyright Notice

Copyright (c) The Internet Society (1999). All Rights Reserved.

Abstract

The Basic Access Authentication Scheme is included in "HTTP / 1.0". The program is not a secure user authorization method (unless otherwise useful in combination, such as SSL [5]), because its username and password are transmitted in a clear text.

This document also provides a specification of the HTTP authentication framework, for the original basic authentication scheme and the content of the hash encryption, see Classification Access Authentication. Since the RFC2069, some of the optional elements involved are removed by problems; and some new elements are added because of compatibility reasons, although they are optional, but it is also strongly recommended for use. Thus, RFC 2069 [6] can eventually be replaced by this specification.

Franks, et al. Standards TRACK [Page 1]

Similar to the basic way, classification identification authorization checks the secrets (such as password) that are known to both parties; and different from the basic way, the password in the verification mode is not transmitted in a clear text, and this is The biggest weakness of the basic way. As most of the other authorization agreements, the biggest risk of the protocol is not in its agreement itself, but an application around it.

Table of Contents

1 Access Authentication .......................................... ............................. 3

1.1 Dependent on HTTP / 1.1 specification (Reliance on the http / 1.1 specification) ............ 3

1.2 Access Authentication Framework ................................... 32 Basic identification Basic Authentication Scheme ................................................................................................................................................................................................................... ........ 5

3 Category Access Authentication Scheme ...................................

3.1 Introduction ........................................ .........................................

3.1.1 Purpose .................................... ..... ...........................................

3.1.2 Overview of Operation ........................................... ...........

3.1.3 Classified value indicates .................................................

3.1.4 Limitations ................................................. .........................................

3.2 Category Of Digest Headers ...............................................................

3.2.1 WWW-Differential response headings (The WWW-Authenticate Response Header). 8

3.2.2 Authorization Request Header ....... ................. 11

3.2.3 Different information title (the authentication-info header) ....... ...........................................

3.3 Category Operation ........................................ ..... .....................

3.4 Security Protocol Negotiation .. ..................................... 18

3.5 examples (Example) ................................................... ....................................................... ... .... 18

3.6 Proxy Diatori and Proxy-Authorization .... 19

4 Safety considerations ..................................................................................... ................................................................................

Authentication ............................ ................ ..................................... 19

4.2 Client Differences Using Category Differentiation (Authentication of Clients Using Digest

Authentication ............................ ................ .........................................

4.3 Use a restricted nonce value (Limited use nonce value) ................................ 21

4.4 Classification comparisons with basic identification methods (Comparison

Of Digest with Basic Authentication .. ............................................. .............. twenty two

4.5 Attack Playback (Replay Attacks) .............................. ........... ........ ........................ twenty two

4.5 Weak points generated by multi-identification schemes (Weakness

Created by Multiple Authentication Schemes ................................ ........ .. twenty three

4.7 Online Dictionary Attacks ............................................... .. ....... twenty three

4.8 MAN in the middle ...................................... .......... ......... ..................... twenty four

4.9 Choose a plain plaintext attacks .................................................. ........ twenty four

4.10 PRECOMPUTED Dictionary Attacks ............... ........ 25

4.11 Batch of violent attacks (Batch Brute Force Attacks) ............................................... ..... 25

4.12 Spooling By Counterfeit Servers ................................. 25

4.13 Storing Passwords ............................................... .. ................... 264.14 Abstract (Summary) ...................... ........................................................... .. ............. 26

5 examples ........................................ ........................ 27

6 Thanks (Acknowledgedgments) ............................................................................. ...................... ............. 31

Franks, et al. Standards TRACK [Page 2]

7 reference books (References) ............................................. .................................. ................ 31

8 author address (authors' addresses) .................................... ............ ....... .............................. 32

9 full copyright statement ............................................. .................. 34

转载请注明原文地址:https://www.9cbs.com/read-1833.html

New Post(0)