Access Control

Mobile Application Design and Development [./]
Spring 2010 — INFO 152 (CCN 42504)

Erik Wilde, UC Berkeley School of Information
2010-04-07

Creative Commons License [http://creativecommons.org/licenses/by/3.0/]

This work is licensed under a CC
Attribution 3.0 Unported License
[http://creativecommons.org/licenses/by/3.0/]

Contents Erik Wilde: Access Control

Contents

Erik Wilde: Access Control

(2) Abstract

Many resources for mobile applications need to be access controlled. Common reasons for this are security or privacy considerations. There are a number of common methods of how access control can be implemented, and in this lecture we look at some of the fundamental methods (HTTP Basic Authentication and Digest Access Authentication which need to be configured in the server) and the underlying methods for encoding and encrypting data.



Web Server Configuration

Outline (Web Server Configuration)

  1. Web Server Configuration [8]
  2. Security Concepts [3]
  3. HTTP Authentication [12]
    1. Basic Authentication [4]
    2. Digest Access Authentication [4]
Web Server Configuration Erik Wilde: Access Control

(4) Server Rules



Web Server Configuration Erik Wilde: Access Control

(5) General Server Setup



Web Server Configuration Erik Wilde: Access Control

(6) Restricting Access

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
Listen 127.0.0.1:80
#Listen 80


Web Server Configuration Erik Wilde: Access Control

(7) Document Root

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "C:/Documents and Settings/dret/Desktop"
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/Documents and Settings/dret/Desktop">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks Includes ExecCGI MultiViews
   
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Order deny,allow
    Deny from all
    Allow from localhost

</Directory>
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.php4 index.php3 index.cgi index.pl index.html index.htm index.shtml index.phtml
</IfModule>


Web Server Configuration Erik Wilde: Access Control

(8) File Handling and Processing

DefaultType text/plain

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types
text/html   html htm
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
   AddType text/html .shtml
   AddOutputFilter INCLUDES .shtml


Web Server Configuration Erik Wilde: Access Control

(9) What's Going On?

68.204.118.125 - - [05/Apr/2010:20:30:12 +0200] "GET /lectures/mobapp-spring10/hotspot/hotspot/layout/ischool/ischool/circles.gif HTTP/1.1" 200 4789 "http://dret.net/lectures/mobapp-spring10/hotspot/hotspot/layout/ischool/ischool.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)"
95.108.156.251 - - [05/Apr/2010:20:30:16 +0200] "GET /glossary/dqdb HTTP/1.1" 200 20860 "-" "Yandex/1.01.001 (compatible; Win16; I)"
207.46.204.196 - - [05/Apr/2010:20:30:21 +0200] "GET /glossary/pop HTTP/1.1" 200 20751 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
207.46.12.156 - - [05/Apr/2010:20:30:36 +0200] "GET /glossary/base16 HTTP/1.1" 200 16147 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
207.46.204.182 - - [05/Apr/2010:20:30:40 +0200] "GET /rfc-index/reference/RFC3145 HTTP/1.1" 404 329 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
207.46.12.156 - - [05/Apr/2010:20:30:42 +0200] "GET /wwwwmap/nicetitle.js HTTP/1.1" 200 6012 "http://dret.net/glossary/base16" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
207.46.12.156 - - [05/Apr/2010:20:30:45 +0200] "GET /wwwwmap/nicetitle.css HTTP/1.1" 200 299 "http://dret.net/glossary/base16" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
207.46.12.156 - - [05/Apr/2010:20:30:48 +0200] "GET /glossary.css HTTP/1.1" 200 3641 "http://dret.net/glossary/base16" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;  SV1;  .NET CLR 1.1.4322;  .NET CLR 2.0.40607;  .NET CLR 3.0.30729;  .NET CLR 3.5.30729;  MS-RTC LM 8)"
59.149.193.49 - - [05/Apr/2010:20:30:50 +0200] "GET /lectures/web-fall08/variants+analysis HTTP/1.1" 200 33891 "http://images.google.com.hk/imgres?imgurl=http://dret.net/lectures/web-fall08/img/swot.png&imgrefurl=http://dret.net/lectures/web-fall08/variants%2Banalysis&usg=__ZiBLsfKY9gAN-IMbwP0Cc2rLdVs=&h=275&w=279&sz=32&hl=zh-TW&start=56&itbs=1&tbnid=cI15G4HQUyLaZM:&tbnh=112&tbnw=114&prev=/images%3Fq%3DSWOT%26start%3D40%26hl%3Dzh-TW%26safe%3Dstrict%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbs%3Disch:1" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
59.149.193.49 - - [05/Apr/2010:20:30:50 +0200] "GET /lectures/web-fall08/img/swot.png HTTP/1.1" 200 32044 "http://images.google.com.hk/imgres?imgurl=http://dret.net/lectures/web-fall08/img/swot.png&imgrefurl=http://dret.net/lectures/web-fall08/variants%2Banalysis&usg=__ZiBLsfKY9gAN-IMbwP0Cc2rLdVs=&h=275&w=279&sz=32&hl=zh-TW&start=56&itbs=1&tbnid=cI15G4HQUyLaZM:&tbnh=112&tbnw=114&prev=/images%3Fq%3DSWOT%26start%3D40%26hl%3Dzh-TW%26safe%3Dstrict%26sa%3DN%26gbv%3D2%26ndsp%3D20%26tbs%3Disch:1" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
59.149.193.49 - - [05/Apr/2010:20:30:52 +0200] "GET /favicon.ico HTTP/1.1" 200 958 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
59.149.193.49 - - [05/Apr/2010:20:31:06 +0200] "GET /lectures/web-fall08/img/swot.png HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; GTB0.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
207.46.13.52 - - [05/Apr/2010:20:31:10 +0200] "GET /rfc-index/reference/RFC5469 HTTP/1.1" 404 329 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
95.108.156.251 - - [05/Apr/2010:20:31:21 +0200] "GET /glossary/oeb HTTP/1.1" 200 17538 "-" "Yandex/1.01.001 (compatible; Win16; I)"
91.144.37.6 - - [05/Apr/2010:20:31:31 +0200] "GET /glossary/shttp HTTP/1.0" 200 24811 "http://www.google.com.sa/search?hl=ar&rlz=1T4SKPB_en___SY373&q=%D8%A8%D8%B1%D9%88%D8%AA%D9%88%D9%83%D9%88%D9%84+SHTTP&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.144.37.6 - - [05/Apr/2010:20:31:32 +0200] "GET /wwwwmap/nicetitle.js HTTP/1.0" 200 6012 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.144.37.6 - - [05/Apr/2010:20:31:37 +0200] "GET /wwwwmap/nicetitle.css HTTP/1.0" 200 299 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.144.37.6 - - [05/Apr/2010:20:31:37 +0200] "GET /glossary.css HTTP/1.0" 200 3641 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
91.85.167.115 - - [05/Apr/2010:20:31:38 +0200] "GET /biblio/reference/rdfainhtml HTTP/1.0" 200 6101 "-" "Wget/1.11.4"
91.144.37.6 - - [05/Apr/2010:20:31:52 +0200] "GET /wwwwmap/nicetitle-bg.png HTTP/1.0" 200 914 "http://dret.net/glossary/shttp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
67.195.112.227 - - [05/Apr/2010:20:31:54 +0200] "GET /glossary/pim HTTP/1.0" 200 17303 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
67.195.112.227 - - [05/Apr/2010:20:32:02 +0200] "GET /biblio/reference/rfc2300 HTTP/1.0" 200 4897 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
90.149.198.109 - - [05/Apr/2010:20:32:12 +0200] "GET /lectures/web-fall09/img/web-browser-usage.png HTTP/1.1" 200 24356 "http://images.google.no/images?hl=no&q=WebOS%20Browser&um=1&ie=UTF-8&sa=N&tab=wi" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1045 Safari/532.5"
207.46.13.93 - - [05/Apr/2010:20:32:15 +0200] "GET /rfc-index/reference/RFC2046 HTTP/1.1" 404 329 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
95.108.156.251 - - [05/Apr/2010:20:32:26 +0200] "GET /glossary/sdds HTTP/1.1" 200 22476 "-" "Yandex/1.01.001 (compatible; Win16; I)"
67.195.112.227 - - [05/Apr/2010:20:32:33 +0200] "GET /biblio/reference/sci2003.html HTTP/1.0" 200 4520 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
207.46.13.96 - - [05/Apr/2010:20:32:42 +0200] "GET /biblio/reference/rfc2985 HTTP/1.1" 304 - "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
77.83.223.27 - - [05/Apr/2010:20:32:58 +0200] "GET /projects/xslidy/ HTTP/1.1" 200 6841 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.366.2 Safari/533.4"


Web Server Configuration Erik Wilde: Access Control

(10) What Went Wrong?

[Mon Apr 05 20:09:13 2010] [error] [client 207.46.13.87] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:09:52 2010] [error] [client 207.46.13.88] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:12:00 2010] [error] [client 65.55.218.158] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:12:40 2010] [error] [client 207.46.204.231] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:13:42 2010] [error] [client 207.46.13.91] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:14:41 2010] [error] [client 207.46.13.40] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:14:57 2010] [error] [client 136.152.139.79] File does not exist: /home/dret/public_html/lectures/mobapp-spring10/hotspot/kilauea/localization/en-us.js, referer: http://dret.net/lectures/mobapp-spring10/project-example
[Mon Apr 05 20:15:06 2010] [error] [client 193.63.197.246] File does not exist: /home/dret/public_html/lectures/web-fall08/hotspot/kilauea/localization/en-US.js, referer: http://dret.net/lectures/web-fall08/unicode
[Mon Apr 05 20:17:40 2010] [error] [client 207.46.199.49] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:17:49 2010] [error] [client 207.46.13.50] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:18:10 2010] [error] [client 207.46.195.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:18:10 2010] [error] [client 207.46.195.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:18:45 2010] [error] [client 207.46.204.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:20:14 2010] [error] [client 67.174.253.46] File does not exist: /home/dret/public_html/lectures/mobapp-spring10/hotspot/kilauea/localization/en-US.js, referer: http://dret.net/lectures/mobapp-spring10/geolocation
[Mon Apr 05 20:20:45 2010] [error] [client 207.46.204.242] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:20:53 2010] [error] [client 174.129.131.200] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:21:16 2010] [error] [client 207.46.204.189] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:21:18 2010] [error] [client 207.46.204.234] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:21:43 2010] [error] [client 207.46.204.228] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:22:18 2010] [error] [client 207.46.199.48] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:22:41 2010] [error] [client 207.46.204.238] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:23:08 2010] [error] [client 174.129.136.94] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:23:31 2010] [error] [client 174.129.136.94] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:24:09 2010] [error] [client 207.46.204.180] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:26:19 2010] [error] [client 220.181.94.237] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:26:53 2010] [error] [client 184.73.71.238] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:27:11 2010] [error] [client 207.46.204.182] File does not exist: /home/dret/public_html/lectures/infosys-ws06/xml-quickref.pdf
[Mon Apr 05 20:27:17 2010] [error] [client 67.195.112.227] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:27:51 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:28:30 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:28:33 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:28:39 2010] [error] [client 174.129.112.194] File does not exist: /home/dret/public_html/robots.txt
[Mon Apr 05 20:29:42 2010] [error] [client 207.46.204.228] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:30:11 2010] [error] [client 207.46.195.241] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:30:11 2010] [error] [client 68.204.118.125] File does not exist: /home/dret/public_html/lectures/mobapp-spring10/hotspot/kilauea/localization/en-US.js, referer: http://dret.net/lectures/mobapp-spring10/history
[Mon Apr 05 20:30:40 2010] [error] [client 207.46.204.182] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:31:10 2010] [error] [client 207.46.13.52] File does not exist: /home/dret/public_html/rfc-index/reference
[Mon Apr 05 20:32:15 2010] [error] [client 207.46.13.93] File does not exist: /home/dret/public_html/rfc-index/reference


Web Server Configuration Erik Wilde: Access Control

(11) Overriding Server Setup



Security Concepts

Outline (Security Concepts)

  1. Web Server Configuration [8]
  2. Security Concepts [3]
  3. HTTP Authentication [12]
    1. Basic Authentication [4]
    2. Digest Access Authentication [4]
Security Concepts Erik Wilde: Access Control

(13) Identification



Security Concepts Erik Wilde: Access Control

(14) Authentication



Security Concepts Erik Wilde: Access Control

(15) Authorization



HTTP Authentication

Outline (HTTP Authentication)

  1. Web Server Configuration [8]
  2. Security Concepts [3]
  3. HTTP Authentication [12]
    1. Basic Authentication [4]
    2. Digest Access Authentication [4]
HTTP Authentication Erik Wilde: Access Control

(17) HTTP Sessions



HTTP Authentication Erik Wilde: Access Control

(18) Logging In



HTTP Authentication Erik Wilde: Access Control

(19) Logging Out



HTTP Authentication Erik Wilde: Access Control

(20) Browser Controls

Logging out of HTTP Authentication

Basic Authentication

Outline (Basic Authentication)

  1. Web Server Configuration [8]
  2. Security Concepts [3]
  3. HTTP Authentication [12]
    1. Basic Authentication [4]
    2. Digest Access Authentication [4]
Basic Authentication Erik Wilde: Access Control

(22) Configuration Steps

  • Create a list of users and their passwords
    htpasswd -c …/passwords.txt dret
  • Users and passwords are stored in a user file/database
    dret:supersecret
    
  • Configure the server to apply basic authentication
    AuthType Basic
    AuthName "Protected by Basic Authentication"
    AuthBasicProvider file
    AuthUserFile "C:\Documents and Settings\dret\Desktop\drectures\mobapp-spring10\src\basic\passwords.txt"
    Require user dret
  • Control files by placing them in the appropriate directory [src/basic/basic.html]


Basic Authentication Erik Wilde: Access Control

(23) First HTTP Request

GET /drectures/mobapp-spring10/src/basic/basic.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/basic/
If-Modified-Since: Wed, 07 Apr 2010 16:54:02 GMT
If-None-Match: "a00000002d8d8-160-483a868c94a7c"
Cache-Control: max-age=0

HTTP/1.1 401 Authorization Required
Date: Wed, 07 Apr 2010 17:55:05 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
WWW-Authenticate: Basic realm="Protected by Basic Authentication"
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en


Basic Authentication Erik Wilde: Access Control

(24) Second HTTP Request

GET /drectures/mobapp-spring10/src/basic/basic.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/basic/
If-Modified-Since: Wed, 07 Apr 2010 16:54:02 GMT
If-None-Match: "a00000002d8d8-160-483a868c94a7c"
Cache-Control: max-age=0, max-age=0
Authorization: Basic ZHJldDpzdXBlcnNlY3JldA==

HTTP/1.1 304 Not Modified
Date: Wed, 07 Apr 2010 17:55:12 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Etag: "a00000002d8d8-160-483a868c94a7c"
X-Pad: avoid browser bug


Basic Authentication Erik Wilde: Access Control

(25) Authentication Security

  • Username/password are encoded in Base64 [http://en.wikipedia.org/wiki/Base64]
    • an encoding is not an encryption
  • Decoding Base64 [http://www.motobit.com/util/base64-decoder-encoder.asp] is a very simple process
    • an encoding is not an encryption
  • Basic authentication should never be used without HTTPS [Authentication; HTTP over SSL (HTTPS) (1)]
    • people will be broadcasting username/password on wireless networks
    • they often try other username/password combinations as well


Digest Access Authentication

Outline (Digest Access Authentication)

  1. Web Server Configuration [8]
  2. Security Concepts [3]
  3. HTTP Authentication [12]
    1. Basic Authentication [4]
    2. Digest Access Authentication [4]
Digest Access Authentication Erik Wilde: Access Control

(27) Configuration Steps

  • Configure the server to support digest access configuration
    LoadModule auth_digest_module modules/mod_auth_digest.so
  • Create a list of users and their passwords
    htdigest -c …/passwords.txt "Protected by Digest Access Authentication" dret
  • Users and passwords are stored in a user file/database
    dret:Protected by Digest Access Authentication:137fb94b16afd473a12e1c612e80c832
  • Configure the server to apply basic authentication
    AuthType Digest
    AuthName "Protected by Digest Access Authentication"
    AuthDigestProvider file
    AuthUserFile "C:\Documents and Settings\dret\Desktop\drectures\mobapp-spring10\src\digest\passwords.txt"
    Require user dret
  • Control files by placing them in the appropriate directory [src/digest/digest.html]


Digest Access Authentication Erik Wilde: Access Control

(28) First HTTP Request

GET /drectures/mobapp-spring10/src/digest/digest.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/digest/
If-Modified-Since: Wed, 07 Apr 2010 16:53:43 GMT
If-None-Match: "2a00000002d8e0-178-483a867a21110"
Cache-Control: max-age=0

HTTP/1.1 401 Authorization Required
Date: Wed, 07 Apr 2010 18:00:04 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
WWW-Authenticate: Digest realm="Protected by Digest Access Authentication", nonce="lsP1VKmDBAA=c14f7b87339d28d745e26b2911b0bef46792a929", algorithm=MD5, qop="auth"
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en


Digest Access Authentication Erik Wilde: Access Control

(29) Second HTTP Request

GET /drectures/mobapp-spring10/src/digest/digest.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost/drectures/mobapp-spring10/src/digest/
If-Modified-Since: Wed, 07 Apr 2010 16:53:43 GMT
If-None-Match: "2a00000002d8e0-178-483a867a21110"
Cache-Control: max-age=0, max-age=0
Authorization: Digest username="dret", realm="Protected by Digest Access Authentication", nonce="lsP1VKmDBAA=c14f7b87339d28d745e26b2911b0bef46792a929", uri="/drectures/mobapp-spring10/src/digest/digest.html", algorithm=MD5, response="00067dc79112f87c811e23a36ec4a5ed", qop=auth, nc=00000001, cnonce="be2bd6d9be1058b4"

HTTP/1.1 304 Not Modified
Date: Wed, 07 Apr 2010 18:00:11 GMT
Server: Apache/2.2.9 (Win32) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.6
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Etag: "2a00000002d8e0-178-483a867a21110"
X-Pad: avoid browser bug


Digest Access Authentication Erik Wilde: Access Control

(30) Authentication Security

  • Username/password are not transmitted in the response
  • 401 response contains a nonce for authentication
    • nonce values allow to prevent replay attacks
    • realm and nonce are required to calculate credentials
  • Client packages credentials in a secure way
    • username, realm, and password are turned into a hash value
    • request method and request URI are turned into a hash value
    • these two hashes and the nonce are hashed
  • Digest access authentication implementations differ
    • security depends on the exact feature set used by client and server
    • using HTTPS [Authentication; HTTP over SSL (HTTPS) (1)] is a good idea in this scenario


2010-04-07 Mobile Application Design and Development [./]
Spring 2010 — INFO 152 (CCN 42504)