HTTP Authentification

The identification (or authentification) HTTP (specified by 2617) makes it possible to be identified near a waiter HTTP by showing him that one knows the name of a user and his password, in order to reach the resources with restricted access of this one.

General operation

When a customer HTTP request a resource protected with the waiter, this one answers in different way according to the request:

is the request does not contain a heading HTTP of identification, in this case the waiter answers with code HTTP 401 ( Unauthorized : unauthorized) and sends the heading of information on the identification requested,
is the request contains headings HTTP of identification, in this case, after checking of the name and of the password, if the identification fails, the waiter answers by code 401 as in the preceding case, if not he answers in a normal way (code 200 OK).

Methods

There exist 2 methods defined by specification 2617:

the method BASIC,
the method Digest.

Method BASIC

This method is simplest, but also protected because it transmits the password in light (or almost). It is recommended only with one encrypted connection (protocol HTTPS).

The waiter not receiving a heading of correct identification sends this kind of heading HTTP:

Www-Authenticate: BASIC realm=" WallyWorld"

The waiter indicates the necessary method (BASIC), followed parameters. The method " Basic" only the parameter " requires; realm" identifying the field of protection.

Customer HTTP can réessayer then the request by specifying heading HTTP " Authorization". This one must contain the method used (BASIC) follow-up of the representation in Base64 of the name of the user and the password separated by the character ": " (colon).

For example, to use the user " Aladdin" with the password " open sesame" , the customer sends:

Authorization: BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Base64 (" Aladdin: open sesame") = " QWxhZGRpbjpvcGVuIHNlc2FtZQ=="

Method Digest

This method does not transmit the password in light. Even if this method is surer than the method BASIC, it remains all the same sensitive to the attacks (interception of communication,…).

The method " Digest" is more complex and employs more parameters.

Ask identification

The waiter can send a request for identification of the kind:

Www-Authenticate: Digest realm=" testrealm@host.com" , qop=" auth, auth-int" , nonce=" dcd98b7102dd2f0e8b11d0f600bfb0c093" , opaque=" 5ccc069c403ebaf9f0171e9517f40e41"

The parameters are separated by a comma and are the following: ; realm: This parameter is posted with the user so that it knows which name and password it can use. The chain must at least contain the name of the machine and the name of the necessary user group. ; domain: (optional) Contains a list of URI separated by the space character, defining the domain protection. This parameter gives the list of the URI for which the user requested is valid. ; nonce: Chain generated by the waiter with each answer 401. It is advised that this chain uses the characters Base64 or hexadecimal. This parameter is used in the calculation of the answer of the customer. ; opaque: (optional) Chain generated by the server which the customer must turn over such as it is. ; stale: (optional) This parameter has 2 possible values: true or false . It is worth true if the request for preceding identification were rejected only because of the use of an old value of the parameter " nonce" , false if not. The value true indicates that the customer owes retenter the request by using the new value of nuncio provided by the waiter without redemander a name and a password to the user. ; algorithm: (optional) Indicates the algorithm to be used for the functions of hashages. Two values are defined in 2617: MD5 or MD5-sess . ; qop: (optional) (Quality Off Protection) This parameter indicates the supported levels of protection: auth or auth-int .

Identification of the customer

The customer being identified with the method " Digest" use 2 functions to calculate certain parameters:

H ( dated ) = MD5 ( dated )

The function H turns over in the shape of a character string (hexadecimal format, into tiny) the result of the function of hashage MD5. It can also use another algorithm of hashage (SHA for example). The algorithm employed is specified in the parameter " algorithm".

KD ( secret , dated ) = H ( secret : dated )

The function KD calls the function H with like argument the concatenation of the two parameters secret and data separated by the sign colon.

The customer thus sends the heading " Authorization" containing the name of the method " Digest" follow-up of the parameters: ; username: Name of the user. ; realm: Even value that of the answer of the waiter. ; nonce: Even value that of the answer of the waiter. ; algorithm: Even value that of the answer of the waiter. ; opaque: Even value that of the answer of the waiter. ; uri: URI of the protected resource requested (duplicated here because some proxy can modify the original URI). ; response: This parameter containing 32 hexadecimal digits representing the computed value by the customer proving that he knows the password. ; qop: (optional) (Quality Off Protection) This parameter indicates the level of protection applied. It must correspond to the one of the values turned over by the waiter. ; cnonce: (if qop is present) Chaîne generated by the customer. ; nc: (if qop is present) (Count Nuncio) 8 hexadécmaux digits representing the number of times that the value of the parameter " nonce" turned over by the waiter was used by the customer. nc=00000001 the first time.

The calculation of the value of the parameter response is carried out in the following way:

If qop is specified:

response = KD (H (A1), nonce: nc: cnonce: qop: H (A2))

If not:

response = KD (H (A1), nonce: H (A2))

If algorithm is worth MD5 or is not specified:

A1 = username: realm: password

if algorithm is worth MD5-sess :

A1 = H (username: realm: password): nonce: cnonce

If qop is worth auth or is not specified:

A2 = http-method: uri

if qop is worth auth-int :

A2 = http-method: uri: H (entity)

Answer of the waiter

The waiter recomputes the same values as the customer to check if the identification is successful.

If the waiter answers positively (correct user and password), it sends, in the answer, heading HTTP " Authentification-Info" containing information on the successful identification and next the identification.

This heading also contains a parameter list separated by a comma: ; nextnonce: Value to be used for the next identifications in this field of protection. ; qop: ( Optional ) quality off protection applied to this answer. This parameter must have the same value as in the request of the customer. ; rspauth: ( If qop specified ) This mutual parameter of identification is used to prove that the waiter also knows the user and his password. It is calculated same manner as the parameter response except for the value of A2 where http-method is a null string. ; cnonce: ( If qop specified ) Même value that in the request of the customer. ; nc: ( If qop specified ) Même value that in the request of the customer.

Identification on Waiter agent ( Proxy )

The identification described above proceeds between the user and the waiter of origin.

It is also possible to be identified near the intermediate waiters:

User with proxy
Proxy with proxy
Proxy with waiter of origin.

For that, the headings HTTP Proxy-Authenticate and Proxy-Authorization are used in the place of the headings Www-Authenticate and Authorization . The code of state HTTP 407 is used instead of code 401.

The heading Proxy-Authentication-Information has the same role as the heading Authentication-Information .

A customer can have to be identified at the same time with a proxy and the waiter of origin, but not in the same answer.

See too

Hypertext Transfer Protocol

External bonds

2617 - HTTP Authentification: BASIC and Digest Access Authentification - June 1999

Random links: