SY306 Web and Databases for Cyber Operations SlideSet #21: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html Outline • HTTP Basic Authentication • HTTP Digest Authentication 1
HTTP Authentication Client Server Authentication? Basic Authentication Demo 2
Basic Authentication • Client GET /secret.html HTTP/1.0 • Server HTTP/1.1 401 Access Denied WWW- Authenticate: Basic realm=“secret files“ Content-Length: 0 • Client GET /secret.html HTTP/1.0 Authorization: Basic dXNlcjpwYXNzd29yZA== • Notes: How to set up Basic Authentication • Have mod_auth_basic enabled on web server • Create password file (not on web accessible path) htpasswd – c myfile myuser • Configure server to ask for credentials Ex. In .htaccess AuthType Basic AuthName myrealm AuthBasicProvider file AuthUserFile myfile Require valid-user http://httpd.apache.org/docs/2.2/howto/auth.html 3
Lab Exercise • Open terminal window (or ssh into mich300csdYYu YY between 01 and 20) • Create password file basicUsers.txt in your home dir (not web accessible) for your user mXXXXXX htpasswd – c basicUsers.txt mXXXXXX • Create new folder BasicSecret in your public_html folder • Copy starter.html in BasicSecret • Create .htaccess file in BasicSecret with content AuthType Basic AuthName " Restricted files for basic " AuthBasicProvider file AuthUserFile /home/mids/mXXXXXX/basicUsers.txt Require valid-user • In browser: http://mope.academy.usna.edu/~mXXXXXX/BasicSecret/starter.html • Might need to change permissions for basicUsers.txt – in Unix setfacl – m u:www-data:rx basicUsers.txt Base64 Encoding • Encoding binary to text (NOT encryption) • Use 64 characters (6 bits needed to represent each symbol) • To encode user:password – Concatenate ASCII binary representation for each character – If nb of bytes not multiple of 3, add one or two all-zero bytes – Separate each 3 8-bits (byte) block in 4 6-bits blocks – Translate each 6-bit block to the Base64 character – If the 6-bit block was all from the padding, translate to = http://en.wikipedia.org/wiki/Base64 4
Binary-to/from-Base64 char Bynary-to/from ASCII char 5
ICE: Decode c3kzMDY6dGVzdA== Digest Authentication • Similar with basic authentication BUT • Passwords are not sent in plain (base64) text • Based on challenge-response authentication – Uses MD5 hash 6
Digest Authentication – Part 1 • Client GET /secret.html HTTP/1.0 • Server HTTP/1.1 401 Access Denied WWW-Authenticate: Digest realm="Restricted", nonce=“ SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", algorithm=MD5, qop="auth" Content-Length: 0 Digest Authentication – Part 2 • Client GET /secret.html HTTP/1.0 Authorization: Digest username=“ johnny", realm="Restricted", nonce="SQzKShMSBQA=03e769c8c1c9062dcd9adcb06a8f787897 de64fb", uri="/secret.html", algorithm=MD5, response="ffd5ebb687c6198ef663e43b25a32d0e", qop=auth, nc=00000001, cnonce ="80ddead374b429b7“ Pros: Cons: 7
How to set up Digest Authentication • Have mod_auth_digest enabled on web server • Create password file (not on web accessible path) htdigest – c myfile myrealm myuser • Configure server to ask for credentials Ex. In .htaccess AuthType Digest AuthName myrealm AuthDigestProvider file AuthUserFile myfile Require valid-user http://httpd.apache.org/docs/2.2/howto/auth.html Other types of authentication • NTLM Authentication • Certificates Authentication • Integrated Windows Authentication • Form-based authentication 8
Recommend
More recommend
