Cryptography Reference
In-Depth Information
sends an error message
HTTP/1.0 401 Unauthorized
and sends the challenge again.
If the browser tries to connect to the URI and receives an access control request to
which it does not know how to respond, it yields a dialog box urging the user to fill out
the userid and password fields. Usually, these are kept in memory during the session of
the browser so that the server can send many access control requests during the same
session. This is why users are often requested to close the browser after the session so
that no other user can access the same URI.
5.1.3 PAP Access Control in PPP
A similar example is one of the two access control protocols provided in the Point
to Point Protocol (PPP) which enables the remote connection of a machine to a net-
work. These two access control protocols are PPP Authentication Protocol (PAP) and
Challenge-Handshake Authentication Protocol (CHAP), which will be discussed in
Section 5.2. Both are detailed in RFC 1334 (Ref. [118]).
The PAP protocol is quite similar to the basic access control in HTTP.
5.2
Challenge-Response Protocols
The password access control protocol obviously provides low security since pass-
words may be intercepted by a third party (unless the communication channel pro-
tects confidentiality, which can be the case with the SSL protocol as discussed in
Section 12.3).
In this section we have better access control protocols in which the client never
sends a password in clear to the server. It actually proves that he has the password by
replying to some random challenges as depicted in Fig. 5.2. This is not always feasible
when the client is a human being. It is however quite easy to implement when the client
is a machine.
Client
Server
request C to S
−−−−−−−−−−−−−−−−−−−→
challenge
c
←−−−−−−−−−−−−−−−−−−−
pick
c
at random
response
r
−−−−−−−−−−−−−−−−−−−→
r
=
MAC
password
(
c
)
check
r
=
MAC
password
(
c
)
Figure 5.2.
Challenge-Response access control.
Search WWH ::
Custom Search