RFC2617- HTTP Authentication自譯本-(1) (轉)
:namespace prefix = o ns = "urn:schemas--com::office" />
.NETwork Working Group J. Franks
Request for Comments: 2617 Northwestern University
Obsoletes: 2069 P. Hallam-Baker
Category: Standards Track Verisign, Inc.
J. Hostetler
Abi, Inc.
S. Lawrence
Agranat Systems, Inc.
P. Leach
Microsoft Corporation
A. Luotonen
Communications Corporation
L. Stewart
Open Market, Inc.
June 1999
HTTP Authentication: Basic and Digest Access Authentication
備忘(Status of this Memo)
本文件跟蹤記錄Internet團體為完善而進行的討論、建議。詳情請參見官方(STD1)。本文可任意分發。
版權宣告(Copyright Notice)
Copyright (C) The Internet Society (1999). All Rights Reserved.
摘要(Abstract)
“HTTP/1.0”中包括基本訪問鑑別方案(Basic Access Authentication scheme)。該方案不是的授權方法(除非與其它安全方法聯合使用,如[5]),因為其使用者名稱和口令在上是以明文方式傳送的。
本文件還提供了HTTP鑑別的規範,有關原始的基本鑑別方案和基於雜湊的方案的內容,請參見分類訪問鑑別(Digest Acccess Authentication)。從2069公佈以來,其中涉及的一些可選元素因為出現問題而被移出;而還有一些新的元素因為相容性的原因而被加入,這些新元素雖然是可選的,但還是強烈建議使用的,因而,RFC2069[6]最終可能會被本規範所替代。
Franks, et al. Standards Track [Page 1]
與基本方式類似的是,分類鑑別授權對通訊雙方都知道的秘密(如口令)進行校驗;而與基本方式不同的是,該校驗方式中的口令不以明文方式傳輸,而這正是基本方式的最大弱點。正象其它大多數授權協議那樣,該協議最大的風險不在於其協議本身,而是它周邊的應用。
目錄(Table of Contents)
1 訪問鑑別(Access Authentication)..................... ..................... ................................ 3
1.1 對HTTP/1.1規範的依賴(Reliance on the HTTP/1.1 Specification)............ 3
1.2 訪問鑑別框架(Access Authentication )................. ..................... 3
2 基本鑑別方案(Basic Authentication Scheme)........................ ............... ............... 5
3 分類訪問鑑別方案(Digest Access Authentication Scheme)............. ..................... 6
3.1 介紹(Introduction)................................. ..................... ..................... ......... 6
3.1.1 目的(Purpose)...................................... ..................... ....................... 6
3.1.2 操作概述(Overall Operation)........................ ..................... ... ......... 6
3.1.3 分類值表示(Representation of digest values)............ ...................... 7
3.1.4 侷限性(Limitations)................................... ..................... ................. 7
3.2 分類標題規範(Specification of Digest Headers)................. ..................….. 7
3.2.1 WWW-鑑別回應標題(The WWW-Authenticate Response Header).. 8
3.2.2 授權請求標題(The Authorization Request Header)....... ................... 11
3.2.3 鑑別資訊標題(The Authentication-Info Header)....... ...................…. 15
3.3 分類操作(Digest Operation)........................... ..................... ..................... 17
3.4 安全協議商議(Security Protocol Negotiation).. ........................................ 18
3.5 例子(Example)...................................... ..................... ..................... ......…. 18
3.6 鑑別和代理授權(-Authentication and Proxy-Authorization).... 19
4 安全考慮(Security Consrations)............................ ..................... ...................….. 19
4.1 使用基本鑑別方式的客戶端鑑別(Authentication of Clients using Basic
Authentication).............................. ..................... ..................... ..................... 19
4.2 使用分類鑑別方式的客戶端鑑別(Authentication of Clients using Digest
Authentication).............................. ..................... ..................... ..................... 20
4.3 使用有限制的nonce值(Limited Use Nonce Values)..................... .............. 21
4.4 用基本鑑別方式來進行分類比較(Comparison
of Digest with Basic Authentication).. ..................... ..................... .............. 22
4.5 回放(Replay Attacks).............................. ..................... ........................ 22
4.5 由多方鑑別方案產生的弱點(Weakness
Created by Multiple Authentication Schemes).................................. ............ 23
4.7 線上字典攻擊(Online dictionary attacks)...................... ..................... ....... 23
4.8 中間人(Man in the Middle).............................. ..................... ..................... 24
4.9 選擇純文字攻擊(Chosen plaintext attacks)............... ..................... ............ 24
4.10 用預先計算的字典攻擊(Precomputed dictionary attacks)............... .......... 25
4.11 批方式暴力攻擊(Batch brute force attacks)...................... ........ .............. 25
4.12 假冒欺騙(Spoofing by Counterfeit Servers)............... ................... 25
4.13 口令(Storing passs)........................ ..................... ..................... 26
4.14 摘要(Summary)................................ ..................... ..................... ............. 26
5 例子實現(Sample implementation)....................... ..................... .......................... 27
6 感謝(Acknowledgments).............................. ..................... ..................... .. ............. 31
Franks, et al. Standards Track [Page 2]
7 參考書目(References)....................................... ..................... .............. ................ 31
8 作者地址(Authors' Addresses)............................ ..................... ............................ 32
9 完整版權狀況(Full Copyright Statement)........................ ..................... .................. 34
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-988651/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 如何設定HTTP自動跳轉到HTTPSHTTP
- GraphJin:GraphQL自動編譯轉為SQL編譯SQL
- [譯] HTTP簡史HTTP
- [譯] HTTP/3: 起源HTTP
- http1HTTP
- http2與http1HTTP
- 網路通訊協議自動轉換之thrift到http協議HTTP
- 快速實現語音轉文字,還自帶翻譯
- [翻譯]理解 HTTP 基礎HTTP
- fatal: Authentication failedAI
- 圖解HTTP(1)圖解HTTP
- [譯] [1] + [2] - [3] === 9!? 型別轉換深入研究型別
- Network sniffing and identity authenticationIDE
- 一文讀懂 HTTP/1HTTP/2HTTP/3HTTP
- [翻譯]http2-for-a-faster-web——快速瞭解http2HTTPASTWeb
- Http請求相關(轉)HTTP
- 阿里雲配置http轉https阿里HTTP
- 【轉】http2 新特性HTTP
- 如何把HTTP轉成HTTPS?HTTP
- Node和http:一本通【附tcp實現http小程式碼】HTTPTCP
- [譯]HTTP/2的優先順序HTTP
- [譯] HTTP/2 常見問題解答HTTP
- gitlab密碼更新後,使用git命令報錯remote: HTTP Basic: Access denied fatal: Authentication failed for ‘https:xxx‘Gitlab密碼REMHTTPAI
- life is short 中譯本(粗校)
- 深入理解http1.x、http 2和httpsHTTP
- 【轉載】CL_HTTP_CLIENT的HTTP和SOAP用法示例HTTPclient
- HTTP快取筆記(1)HTTP快取筆記
- 完美解決瀏覽器輸入http被自動跳轉至https問題瀏覽器HTTP
- 教你玩轉HTTP—請求方法HTTP
- [譯]當 Node.js Core 遇到 HTTP/2Node.jsHTTP
- [譯][草案] HTTP “帶外”內容編碼HTTP
- Oracle實驗(02):轉換 & 轉譯Oracle
- jmp跳轉的本質
- life is short 中譯本(嘗試中)
- authentication plugin caching_sha2Plugin
- 小議SQLNET.AUTHENTICATION_SERVICESSQL
- SourceTree 提示 fatal: Authentication failed for..AI
- KSQLException: The authentication type 10 is not supported.SQLException
- 一本關於HTTP的戀愛日記HTTP