HTTP Authentication Mode

SIP is similar to the HTTP protocol. The authentication mode. HTTP protocol (RFC 2616) provides for the Base mode and digest mode the (Digest schema). RFC 2617 devoted to the two modes of authentication requirements. RFC 1321 MD5 Standard. Digest modern password cracking is not strong, but still much better than the basic mode. MD5 has been a professor of Shandong University, to find ways to counterfeit (I understand), but is still widely used.

1. The easiest attack

If the site requires authentication, the client sends clear text username and password on the network eavesdropper can easily get the username and password will not achieve security role. I had to go to school in the HKUST laboratory LAN eavesdropping others HKUST BBS password BBS username and password is actually transmitted in the clear. Kind of thief guilty thief excited exciting inexplicable. Steal the money will be subject to moral condemnation steal password only secretly carried away. Then the stolen book is not stealing “no guilt. In front of your user name and password in clear text transmission, is no different from a piece of fat on the greedy. Now a lot of the certification of the ASP website user name and password with MD5 encryption. MD5 is a string of arbitrary length and 128-bit random number calculated to generate a 16byte encrypted string. Eavesdropper to seize a group of garbled. However, there is a problem: if the eavesdropper group garbled to certification, or certification by. Because the server username password MD5 encrypted string is garbled in that group, naturally, can not distinguish between who is a legitimate user. Called replay attacks (replay attack). And HTTP basic authentication mode. For safety, let others get something for nothing, the natural thing to do basic precautions. Here is the Http protocol provides two authentication mode.

2. Basic Authentication mode

The customer sends a request to the server, the server returns 401 (unauthorized) requires authentication. 401 message header inside with the challenges of information. realm to distinguish between the part to be certified. The client receives 401 username password and challenges BASE64 encryption formed certificate is sent back to the server certification. The syntax is as follows:

challenge = “Basic” realm
credentials = “Basic” basic-credentials


Authentication header: WWW-Authenticate: Basic realm = “
Certificate: Authorization: Basic QsdfgWGHffuIcaNlc2FtZQ ==

3. Digest Access Authentication

In order to prevent replay attacks, digest access authentication. The client sends a request, receives a 401 (Unauthorized) message that contains a Challenge. The message there is a unique string: nonce, are not the same for each request. Customers will be encrypted with user name and password and 401 messages returned challenge to the server. So even if there eavesdropping, he also can not pass each authentication can not replay attacks. HTTP is not a secure protocol. Its contents are transmitted in the clear. So do not expect HTTP How safe.


realm: let customers know which username and password string. Different areas may be not the same password. At least tell the user what is the host to do the certification, he may be prompted to which user name to log on, similar to an email.
domain: a URI list, indicating that the domain you want to protect. Maybe a list. Prompts the user for these URI using the same authentication. If it is empty or ignored compared to the entire server.
nonce: random strings, each 401 is not the same. With the algorithm. Similar Base64 encryption algorithm: time-stamp H (time-stamp “:” ETag “:” private-key). The time-stamp server clock, the ETag the Etag head for the requested. the private key for the server knows that value.
opaque: server down a request by the customer is returned. ” The best a Base64 string or hexadecimal string.
auth-param: expansion, ignored at this stage.
Other domains please refer to RFC2617.

Authorization header syntax:

response: the encrypted password
digest-uri: a copy of the Request-Line for Proxy
cnonce: if qop is set only set for mutual authentication, to prevent attacks.
nonce-count: If the server sees the same count, is a replay.


4 more basic authentication and digest access authentication are very fragile. Basic Authentication allows an eavesdropper to obtain a user name and password Digest Access authentication eavesdropper can only get a requested document.