tailieunhanh - WebSecurity
Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password before they are allowed access to certain URLs HTTP/ requires that when a user makes a request for a protected resource the server responds with a authentication request header WWW-Authenticate contains enough pertinent information to carry out a “challenge-response” session between the user and the server | Web Security CS-431 HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password before they are allowed access to certain URLs HTTP/ requires that when a user makes a request for a protected resource the server responds with a authentication request header WWW-Authenticate contains enough pertinent information to carry out a “challenge-response” session between the user and the server Web Server Client Client requests a protected resource Server responds with a 401 (not authorized and a challenge request for the client to authenticate Client Response Well established clients like Firefox, Internet Explorer . will respond to the challenge request (WWW-Authenticate) by presenting the user with a small pop-up window with data entry fields for userid password a Submit button and a Cancel button entering a valid userid and password will post the data to the server, the server will attempt authentication and if authenticated will serve the originally requested resource. WWW-Authenticate The authentication request received by the browser will look something like: WWW-Authenticate = Basic realm=“defaultRealm” Basic indicates the HTTP Basic authentication is requested realm indicates the context of the login realms hold all of the parts of security puzzle Users Groups ACLs (Access Control Lists) Basic Authentication userid and password are sent base 64 encoded (might as well be plain text) hacker doesn’t even need to unencode all he has to do is “replay” the blob of information he stole over and over ( this is called a “replay attack”) WWW-Authenticate Digest Authentication attempts to overcome the shortcomings of Basic Authentication WWW-Authenticate = Digest realm=“defaultRealm” nonce=“Server SpecificString” see RFC 2069 for description of nonce, each nonce is different the nonce is used in the browser in a 1-way function (MD5, SHA-1 .) to encode the userid and password for the server, this . | Web Security CS-431 HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password before they are allowed access to certain URLs HTTP/ requires that when a user makes a request for a protected resource the server responds with a authentication request header WWW-Authenticate contains enough pertinent information to carry out a “challenge-response” session between the user and the server Web Server Client Client requests a protected resource Server responds with a 401 (not authorized and a challenge request for the client to authenticate Client Response Well established clients like Firefox, Internet Explorer . will respond to the challenge request (WWW-Authenticate) by presenting the user with a small pop-up window with data entry fields for userid password a Submit button and a Cancel button entering a valid userid and password will post the data to the server, the server will attempt authentication and if
đang nạp các trang xem trước