TKK | Tietoverkkolaboratorio | Opetus

[intro] [cryptography] [schemes] [protocols] [implementations] [authors]

Basic authentication The basic authentication mechanism in WWW is based on the idea that the user provides a userid and password to authenticate himself. The browser prompts the user for userid and password and sends them to the server. If the userid and password corresponds to those that the server has, the user will be served and have access to the document that he wants to.  We can see that HTTP performs a rather weak form of authentication--one that would not be difficult to break. The security flaw here is clear: the userid and password must be transmitted through the network without encryption. Anyone can obtain someone else's password if he intend to do so by eavesdropping. Another severe problem is that the clients have no way to authenticate the server. Apart from those severe problems, this method is hard to manage from the view of the server administrator, because each user must have a userid and corresponding password that saved securely on each server. Message digest authentication This more advanced scheme uses the same exchange of packets as basic authentication, but the server reply now includes a value, known as the nonce, which acts as a challenge. Instead of replying with the username and password, the client calculates a message digest (using a hash algorithm) from the username, password and nonce and returns this along with the username as authentication information. Upon receiving these, the server may check its validity by looking up its known password which corresponds to the submitted username. Then the server then repeats the hash calculation performed by the client, using the user's correct password, and returns the document if the two digests match. To do this the server must hold each user's password in a form suitable for calculating the message digest.  The advantages of the message digest authentication is that the eavesdropper can not get access to the user's password. But, on the other hand, it is imperative that the passwords are stored as securely as possible, since anyone possessing them would immediately be able to masquerade as a valid user of the server.

Tietoverkkolaboratorio on nyt osa Tietoliikenne- ja tietoverkkotekniikan laitosta. Tällä sivulla oleva tieto voi olla vanhentunutta.

Kurssien ajantasainen tieto on MyCourses-palvelussa.