www.ict.tuwien.ac.at
HTTP Authentifizierung
Valentin Lein Matr. Nr. 0526536
www.ict.tuwien.ac.at
Inhalt
§
HTTP Basic Authenticationwww.ict.tuwien.ac.at
HTTP Basic Authentication
§
Internet Engineering Task Force (IETF): RFC 2617HTTP Authentication: Basic and Digest Access Authentication
§
Client muss sich beim Server Authentifizierenwww.ict.tuwien.ac.at
HTTP Basic Authentication - Ablauf
1: Request
2: 401 Unauthorized WWW-Authenticate: Basic
3: GET Authorization: Basic Base64-Message 5: 200 Ok
www.ict.tuwien.ac.at
Request
Hypertext Transfer Protocol
GET /skripten/FeTo/online2002/index.html HTTP/1.1 Host: www.ict.tuwien.ac.at
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://www.ict.tuwien.ac.at/skripten/FeTo/
www.ict.tuwien.ac.at
Authentification Required
Hypertext Transfer Protocol
HTTP/1.1 401 Authorization Required Request Version: HTTP/1.1
Response Code: 401
Date: Mon, 13 Dec 2010 15:42:14 GMT Server: Apache
WWW-Authenticate: Basic realm="FeTo"
Content-Length: 519
Keep-Alive: timeout=15, max=100 Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1 Line-based text data: text/html
www.ict.tuwien.ac.at
Aufforderung des Users zur
Authentifikation
www.ict.tuwien.ac.at
Authentifikation des Clients
Hypertext Transfer Protocol
GET /skripten/FeTo/online2002/index.html HTTP/1.1
Request Method: GET
Request URI: /skripten/FeTo/online2002/index.html Request Version: HTTP/1.1
Host: www.ict.tuwien.ac.at
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.ict.tuwien.ac.at/skripten/FeTo/ Authorization: Basic ZmV0bzpmZXRv Credentials: feto:feto
www.ict.tuwien.ac.at
Response OK
Hypertext Transfer Protocol
HTTP/1.1 200 OK
Request Version: HTTP/1.1 Response Code: 200
Date: Mon, 13 Dec 2010 15:42:14 GMT Server: Apache
Last-Modified: Mon, 07 Jun 2004 10:43:32 GMT ETag: "5542b9-421-3dc42f1c05d00"
Accept-Ranges: bytes Content-Length: 1057
[Content length: 1057]
Keep-Alive: timeout=15, max=99 Connection: Keep-Alive
Content-Type: text/html
www.ict.tuwien.ac.at
Alternativen zu Basic Authentication
§
HTTP+HTML Form-Based Authentication
§
Digest Access Authentication
www.ict.tuwien.ac.at
HTTP+HTML Form-Based Authentication
1: Request
2: HTML Form:username?, password?, "login“ button 3: From data: username, password
5: Ok
www.ict.tuwien.ac.at
Digest Access Authentication
§
Wie Basic Authentication im IETF: RFC 2617§
Client muss beim Authentifizieren MD5 Verschlüsselung verwendenwww.ict.tuwien.ac.at
Bsp. aus RFC 2617
§
http://www.nowhere.org/dir/index.html§
Username: "Mufasa“www.ict.tuwien.ac.at
Authentification Required
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int„,
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41„ Content-Type: text/html
www.ict.tuwien.ac.at
Aufforderung des Users zur
Authentifikation
Mufasa
www.ict.tuwien.ac.at
Berechnung der Response
§
1. Der MD5 hash der Kombination: Username, Authentication realm und Password wird berechnet => HA1.§
2. Der MD5 hash der Kombination: method und digest URI wird berechnet, hier "GET" und "/dir/index.html". => HA2.§
3. Der MD5 hash des HA1, server nonce (nonce), requestcounter (nc), client nonce (cnonce), quality of protection code (qop) und HA2 wird berechnet =>"response"
www.ict.tuwien.ac.at
Authentifikation des Clients
Authorization: Digest username="Mufasa",
realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41„
www.ict.tuwien.ac.at
Server response OK
HTTP/1.0 200 OK Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:27:03 GMT Content-Type: text/html
www.ict.tuwien.ac.at
NTLM (NT LAN Manager) Authentication
§
Challenge-Response-Authentifizierung§
Ursprünglich proprietäres Protokoll von Microsoft seit 2007 veröffentlichtwww.ict.tuwien.ac.at
NTLM Authentication
1: GET
2: 401 Unauthorized WWW-Authenticate: NTLM
3: GET Authorization: NTLM base64-encoded username
4: 401 Unauthorized WWW-Authenticate:
NTLM <base64-encoded type-2-message> Challenge
5: GET Authorization: NTLM
<base64-encoded type-3-message> hashed Challenge
6: 200 Ok
www.ict.tuwien.ac.at
www.ict.tuwien.ac.at
Quellen:
§
Basic und Digest Access Authenticationhttp://tools.ietf.org/html/rfc2617