Digest Authentication Concept
將password hash之後再送出去
HTTP Digest Authentication
example :- 客戶端請求 (無認證)
GET /dir/index.html HTTP/1.0
Host: localhost
失敗 , - 伺服器響應
HTTP/1.0 401 Unauthorized
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
WWW-Authenticate: Digest realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
<HEAD>
<TITLE>Error</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
</HEAD>
<BODY><H1>401 Unauthorized.</H1></BODY>
</HTML>
- 客戶端請求 (用戶名 "Mufasa", 密碼 "Circle Of Life")
GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa",
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Client
random產生”cnonce”
然後利用 (password + cnonce +
nonce + nc + 其他) 產生hash
value: “response” ,
然後把這些值都夾在Http header中送給Server
這些統稱為 Authorization credentials
接下來的通訊
如果是Web Browser , 接下來每個
Http
Get都會夾帶 Credentials .
但是 cnonce and nc都不同
, 所以response也都不同
Example in RFC 2617
HA1 = MD5( "Mufasa:testrealm@host.com:Circle Of Life" )
= 939e7578ed9e3c518a452acee763bce9 HA2 = MD5( "GET:/dir/index.html" )
= 39aff3a2bab6126f332b942af96d3366 Response = MD5( "939e7578ed9e3c518a452acee763bce9:\
dcd98b7102dd2f0e8b11d0f600bfb0c093:\
00000001:0a4f113b:auth:\
39aff3a2bab6126f332b942af96d3366" ) = 6629fae49393a05397450978507c4ef1
= 939e7578ed9e3c518a452acee763bce9 HA2 = MD5( "GET:/dir/index.html" )
= 39aff3a2bab6126f332b942af96d3366 Response = MD5( "939e7578ed9e3c518a452acee763bce9:\
dcd98b7102dd2f0e8b11d0f600bfb0c093:\
00000001:0a4f113b:auth:\
39aff3a2bab6126f332b942af96d3366" ) = 6629fae49393a05397450978507c4ef1
HA1 =
MD5 ( USERNAME:realm:PASSWORD )
HA2 = MD5(method:digestURI
response
= MD5(HA1:nonce:nc:cnonce:qop:HA2)
在 Linux中有簡易驗證MD5的方式
$echo -n Administrator:OPENWSMAN:Realtek | md5sum
下面是得到的結果
7b33ee9e26499e7ecc6c3737d8ae5cec -
Apache 提供的 utilities : htpasswd and htdigest
htdigest -C <filename> <realm> <Accoumt>
$ htdigest -c Administrator_digest.passwd OPENWSMAN Administrator
$ htdigest -c Administrator_digest.passwd OPENWSMAN Administrator
(## The realm for openwsman has to be OPENWSMAN ##)
沒有留言:
張貼留言