Network Working Group J. Franks
Request for Comments: 2617 Northwestern University
Obsoletes: 2069 P. Hallam-Baker
Category: Standards TRACK VERISIGN, INC.
J. Hostetler
Abisource, Inc.
S. lawrence
Agranat Systems, Inc.
P. Leach
Microsoft Corporation
A. Luotonen
Netscape Communications Corporation
L. STEWART
Open Market, Inc.
June 1999
HTTP Authentication: Basic and Digest Access Authentication
STATUS OF this Memo
This document tracks the discussion of the Internet community to improve the agreement. See the official document (STD1) for details. This article can be arbitrarily distributed.
Copyright Notice
Copyright (c) The Internet Society (1999). All Rights Reserved.
Abstract
The Basic Access Authentication Scheme is included in "HTTP / 1.0". The program is not a secure user authorization method (unless otherwise useful in combination, such as SSL [5]), because its username and password are transmitted in a clear text.
This document also provides a specification of the HTTP authentication framework, for the original basic authentication scheme and the content of the hash encryption, see Classification Access Authentication. Since the RFC2069, some of the optional elements involved are removed by problems; and some new elements are added because of compatibility reasons, although they are optional, but it is also strongly recommended for use. Thus, RFC 2069 [6] can eventually be replaced by this specification.
Franks, et al. Standards TRACK [Page 1]
Similar to the basic way, classification identification authorization checks the secrets (such as password) that are known to both parties; and different from the basic way, the password in the verification mode is not transmitted in a clear text, and this is The biggest weakness of the basic way. As most of the other authorization agreements, the biggest risk of the protocol is not in its agreement itself, but an application around it.
Table of Contents
1 Access Authentication .......................................... ............................. 3
1.1 Dependent on HTTP / 1.1 specification (Reliance on the http / 1.1 specification) ............ 3
1.2 Access Authentication Framework ................................... 32 Basic identification Basic Authentication Scheme ................................................................................................................................................................................................................... ........ 5
3 Category Access Authentication Scheme ...................................
3.1 Introduction ........................................ .........................................
3.1.1 Purpose .................................... ..... ...........................................
3.1.2 Overview of Operation ........................................... ...........
3.1.3 Classified value indicates .................................................
3.1.4 Limitations ................................................. .........................................
3.2 Category Of Digest Headers ...............................................................
3.2.1 WWW-Differential response headings (The WWW-Authenticate Response Header). 8
3.2.2 Authorization Request Header ....... ................. 11
3.2.3 Different information title (the authentication-info header) ....... ...........................................
3.3 Category Operation ........................................ ..... .....................
3.4 Security Protocol Negotiation .. ..................................... 18
3.5 examples (Example) ................................................... ....................................................... ... .... 18
3.6 Proxy Diatori and Proxy-Authorization .... 19
4 Safety considerations ..................................................................................... ................................................................................
Authentication ............................ ................ ..................................... 19
4.2 Client Differences Using Category Differentiation (Authentication of Clients Using Digest
Authentication ............................ ................ .........................................
4.3 Use a restricted nonce value (Limited use nonce value) ................................ 21
4.4 Classification comparisons with basic identification methods (Comparison
Of Digest with Basic Authentication .. ............................................. .............. twenty two
4.5 Attack Playback (Replay Attacks) .............................. ........... ........ ........................ twenty two
4.5 Weak points generated by multi-identification schemes (Weakness
Created by Multiple Authentication Schemes ................................ ........ .. twenty three
4.7 Online Dictionary Attacks ............................................... .. ....... twenty three
4.8 MAN in the middle ...................................... .......... ......... ..................... twenty four
4.9 Choose a plain plaintext attacks .................................................. ........ twenty four
4.10 PRECOMPUTED Dictionary Attacks ............... ........ 25
4.11 Batch of violent attacks (Batch Brute Force Attacks) ............................................... ..... 25
4.12 Spooling By Counterfeit Servers ................................. 25
4.13 Storing Passwords ............................................... .. ................... 264.14 Abstract (Summary) ...................... ........................................................... .. ............. 26
5 examples ........................................ ........................ 27
6 Thanks (Acknowledgedgments) ............................................................................. ...................... ............. 31
Franks, et al. Standards TRACK [Page 2]
7 reference books (References) ............................................. .................................. ................ 31
8 author address (authors' addresses) .................................... ............ ....... .............................. 32
9 full copyright statement ............................................. .................. 34