■ Secure Sockets Layer(SSL)
■ Windows Challenge/Response
■ Digital signatures and certificates
■ Smart cards
■ Biometrics
■ Cookies
In the paragraphs that follow, we discuss each of these methods and then look at various Web servers that may or may not support them.
Passwords
Passwords are the most common form of authentication used on the Web and networks today.They involve entering a word, phrase, or code into a field.The password is compared to the one that was entered when the user account was initially set up. If the password matches, the user is allowed to continue. In most cases, the password is combined with a username, so that both the username and password must match before the user is authenticated.
There are a number of different types of authentication involving passwords, and the type available will generally depend on the Web server and operating system being used.These include:
■ Anonymous
■ Basic or clear text
■ Basic with SSL Encryption
As you’ll see in the paragraphs that follow, each of these methods may be used for different purposes and may not be useful depending on the operating system,Web server, or client browser being used.
Anonymous userswork much like a guest account and allow any user to gain access.This is commonly used to allow visitors of your site to access public information, such as Web pages displaying products avail- able for sale. Because everyone is allowed, there are no requirements for the type of client being used.
Although anonymous users don’t require a user to enter a username or password, this doesn’t mean that you should give them free reign. After setting up a Web server, you should set anonymous users with the most restrictive access possible and allow them to access only files in directories meant for public display. A number of servers, such as Microsoft IIS, allow full access to the server by default and need to be configured so that anonymous users can’t access the data you don’t want them to see.
Basic or clear text is an unencrypted method of authentication. Users are presented with a dialog box, requiring them to enter a valid user- name and password.This is sent to the server, which compares the infor- mation to that of a valid account. If the username and password match, the user is able to proceed. Because most clients support clear text, most browsers will be able to use this method when attempting to enter sites with minimal security. Membership sites that are semi-secure commonly use basic or clear text authentication. However, because user account information is sent unencrypted, others may be able to view the user- name and password, which may allow them to obtain valid user account information that they could then use to access your site.Therefore, this method should be used only for accounts that have a minimal or mod- erate level of access to Web server content or network resources.
Basic authentication with SSL encryption is similar to clear text, except that usernames and passwords are encrypted before they’re sent to the server.This prevents hackers from obtaining valid account information and thereby accessing areas of your Web server or network that would be off-limits to anonymous users. SSL is the main protocol used for encrypting data over the Internet; developed by Netscape, SSL uses
ciphers and keys to encrypt data and allows for 128-bit encryption to provide an extremely secure method of transmitting data.The SSL pro- tocol is bundled in many different browsers on the market, allowing a wide variety of users to use this method of encryption. If a user is using a browser that supports SSL 2.0 or 3.0, an SSL session begins when the server sends a public key to the browser.The browser uses this key to send a randomly generated key back to the server, so that they can exchange data securely. It is commonly used on membership sites that require passwords to enter secure areas, or sites use it to send sensitive data (such as credit card numbers used in sales transactions).
Windows Challenge/Responseis a method of authentication that can be used by Web servers running on Windows NT or Windows 2000, such as IIS 4.0 or Internet Information Services 5.0. In IIS 5.0, this method is also referred to as Integrated Windows Authentication.With this method, the user isn’t initially presented with a dialog box in which to enter information. Instead, a hashing technology is used to establish the user’s identity from information stored on the user’s computer.The information is presented to the server when the user logs onto the domain. If the attempt to send this information fails, the user is then presented with a dialog box, which allows him or her to enter a user- name and password. If this fails, the user will be unable to gain access. Because Windows Challenge/Response requires an NT Server or 2000 Server to be used, it will may not be useful for your particular Web server. For example, if you were using Novell NetWare on your server, then this method wouldn’t be available for your uses. Also, only users running Internet Explorer 2.0 or later can use this method. Another drawback is that, unlike the other methods discussed, this method can’t be used across proxy servers or firewalls. If a proxy server or firewall is used on a network, then they will use their own IP address in the hashing, and incorrect information will be passed to the Windows NT or 2000 operating system on which the Web server is running. If you are using Windows NT or 2000, with users running compatible versions of IE, then this method might be useful for a corporate intranet.