Cryptography Reference
In-Depth Information
Client
Server
request C to S
−−−−−−−−−−−−−−−−−−−→
authentication?
←−−−−−−−−−−−−−−−−−−−
login
password
−−−−−−−−−−−−−−−−−−−→
,
check
Figure 5.1.
Password access control.
5.1.1 UNIX Passwords
UNIX passwords are a famous example that we saw in Section 2.4. Here, the client is a
user (or a UNIX process whose permissions are associated to the user) and the server
is a workstation.
Here the server must keep a database of “encrypted” (through a one-way function)
passwords. The one-way encryption is purposely slow in order to slow down access
control attacks.
5.1.2 Basic Access Control in HTTP
Another example of password access control, which is taken from RFC 2617 (Ref. [69]),
is used in the HTTP protocol. Here the client is a browser who wishes to have access to a
protected document called uniform resource identifier (URI) from a Web site. There are
two access control protocols: one is called
basic
and the other is called
digest
(the latter is
detailed in Section 5.2). In the basic protocol, the server must keep a database of (realm-
value,userid,password) triplets, where realm-value indicates one “part” of the HTTP
server, userid is the identification string of a user, and password is simply the password.
Upon a URI request to a server, the server sends a challenge
WWW-Authenticate: basic realm=”
realm-value
”
Then the client must send credentials
Authorization: basic
basic-credentials
where basic-credentials is the string
userid
:
password
which is encoded according to the base64 algorithm.
1
If the (realm-value, userid,
password) triplet is correct, the server can respond to the URI request. Otherwise it
1
This encoding scheme simply consists of encoding bitstrings into byte sequences in which only 6 bits in
every byte are used. This is in order to avoid escape characters which might be interpreted by processes
as special instructions.
Search WWH ::
Custom Search