Identity and Authentication

Web Architecture [./]
Fall 2008 — INFO 290-03 (CCN 42584)

Erik Wilde, UC Berkeley School of Information
2008-09-16

Creative Commons License [http://creativecommons.org/licenses/by/3.0/]

This work is licensed under a CC
Attribution 3.0 Unported License
[http://creativecommons.org/licenses/by/3.0/]

Contents E. Wilde: Identity and Authentication

Contents

E. Wilde: Identity and Authentication

(2) Abstract

For any task involving personalization and/or trust, it is not only necessary to have a concept for providing privacy, but also to have concepts for identity and how to prove identity, which needs authentication. HTTP has built-in mechanisms for authentication, and the standard HTTP Authentication mechanisms are Basic Authentication and Digest Access Authentication. Instead of these mechanisms, many applications implement their own ways of authentication, which often are based around authentication using HTML Forms.



Anonymous Authenticity

Outline (Anonymous Authenticity)

  1. Anonymous Authenticity [2]
  2. HTTP Authentication [6]
    1. Basic Authentication [2]
    2. Digest Access Authentication [2]
  3. Application Authentication [4]
  4. Conclusions [1]
Anonymous Authenticity E. Wilde: Identity and Authentication

(4) Certificates and Identity



Anonymous Authenticity E. Wilde: Identity and Authentication

(5) Usernames and Password



HTTP Authentication

Outline (HTTP Authentication)

  1. Anonymous Authenticity [2]
  2. HTTP Authentication [6]
    1. Basic Authentication [2]
    2. Digest Access Authentication [2]
  3. Application Authentication [4]
  4. Conclusions [1]
HTTP Authentication E. Wilde: Identity and Authentication

(7) HTTP Access Control



HTTP Authentication E. Wilde: Identity and Authentication

(8) HTTP Authentication

HTTP Authentication

Basic Authentication

Outline (Basic Authentication)

  1. Anonymous Authenticity [2]
  2. HTTP Authentication [6]
    1. Basic Authentication [2]
    2. Digest Access Authentication [2]
  3. Application Authentication [4]
  4. Conclusions [1]
Basic Authentication E. Wilde: Identity and Authentication

(10) Authentication Information



Basic Authentication E. Wilde: Identity and Authentication

(11) Repeated Access

  • Clients typically access more than one protected resource
    • a perfectly stateless client would always request authentication from the user
    • using the Authentication Information [Authentication Information (1)] clients can identify repeated accesses
  • Clients remember the authentication and replay it automatically
    • browsers provide little control over this feature
    • logging out of HTTP authenticated sessions is hard


Digest Access Authentication

Outline (Digest Access Authentication)

  1. Anonymous Authenticity [2]
  2. HTTP Authentication [6]
    1. Basic Authentication [2]
    2. Digest Access Authentication [2]
  3. Application Authentication [4]
  4. Conclusions [1]
Digest Access Authentication E. Wilde: Identity and Authentication

(13) Better HTTP Authentication

  • Basic Authentication [Basic Authentication (1)] is a serious security problem
    • username and password are transmitted unencrypted
  • Digest Access Authentication does not require transmission of the password
    • only information computed using a One-Way Function [Security Issues; One-Way Function (1)] is transmitted via HTTP
    • server-side needs clear-text password to compute HTTP header values
  • Three-step one-way function calculation of response value
    1. HA1 = MD5(username, realm, password)
    2. HA2 = MD5(HTTP method, request URI)
    3. Response = MD5(HA1, nonce, nc, cnonce, qop, HA2)
  • Server responses may include AuthenticationInfo
    • information for the next authenticated request


Application Authentication

Outline (Application Authentication)

  1. Anonymous Authenticity [2]
  2. HTTP Authentication [6]
    1. Basic Authentication [2]
    2. Digest Access Authentication [2]
  3. Application Authentication [4]
  4. Conclusions [1]
Application Authentication E. Wilde: Identity and Authentication

(16) Login Page



Application Authentication E. Wilde: Identity and Authentication

(17) HTTP and Form-Based Login



Application Authentication E. Wilde: Identity and Authentication

(18) Form-Based Authentication

Form-Based Authentication

Application Authentication E. Wilde: Identity and Authentication

(19) HTML Session Management

<form action=".../generateReport.cfx" method="post">
 <input name="vin" type="hidden" class="inputVINfield" value="{vin}"/>
 <input type="hidden" name="user" value="...@DRET.NET"/>
 <input type="hidden" name="email" value="...@DRET.NET"/>
 <input type="hidden" name="zip" value="94709"/>
 <input type="hidden" name="sessionSequence" value="070916220678735"/>
 <input type="hidden" name="encryptedSid" value="yVXQOIQV01yWJBf8EtB7hA%3D%3D"/>
 <input type="hidden" name="cardHolderName" value="Erik Wilde"/>
 <input type="hidden" name="chargeAmount" value="29.99"/>
 <input type="hidden" name="sendMeEmail" value="N"/>
 <input type="hidden" name="addressOne" value="1771 ... Street"/>
 <input type="hidden" name="addressTwo" value=""/>
 <input type="hidden" name="cfxId" value="CFX000017762596"/>
 <input type="hidden" name="city" value="Berkeley"/>
 <input type="hidden" name="state" value="CA"/>
 <input type="hidden" name="consumerId" value="10100990"/>
 <input type="hidden" name="sid" value="yVXQOIQV01yWJBf8EtB7hA%3D%3D"/>
 <input type="hidden" name="expireDate" value="20071016220836"/>
 <input type="hidden" name="reportsAvailable" value="199"/>
 <input type="hidden" name="product" value="UCP"/>
 <input id="reportButton" name="reportButton" type="submit"/>
</form>


Conclusions

Outline (Conclusions)

  1. Anonymous Authenticity [2]
  2. HTTP Authentication [6]
    1. Basic Authentication [2]
    2. Digest Access Authentication [2]
  3. Application Authentication [4]
  4. Conclusions [1]
Conclusions E. Wilde: Identity and Authentication

(21) Web or Application Architecture



2008-09-16 Web Architecture [./]
Fall 2008 — INFO 290-03 (CCN 42584)