[英]What is the difference between Digest and Basic Authentication?
摘要和基本身份验证有什么区别?
Digest Authentication communicates credentials in an encrypted form by applying a hash function to the the username, the password, a server supplied nonce value, the HTTP method, and the requested URI. 摘要式身份验证通过将哈希函数应用于用户名,密码,服务器提供的nonce值,HTTP方法和请求的URI来以加密形式传递凭据。
Whereas Basic Authentication uses unencrypted base64 encoding. 而基本身份验证使用未加密的base64编码。
Therefore Basic Authentication should generally only be used where transport layer security is provided such as https. 因此,通常只应在提供传输层安全性的地方使用基本身份验证,例如https。
See RFC-2617 for all the gory details. 有关所有血腥细节,请参阅RFC-2617 。
HTTP Basic Access Authentication HTTP基本访问身份验证
Basic Authentication uses base64 encoding(not encryption) for generating our cryptographic string which contains the information of username and password. 基本身份验证使用base64编码(非加密)生成包含用户名和密码信息的加密字符串。 HTTP Basic doesn't need to be implemented over SSL, but if you don't, it isn't secure at all. HTTP Basic不需要通过SSL实现,但如果不这样做,则根本不安全。 So I'm not even going to entertain the idea of using it without. 所以我甚至不会接受没有使用它的想法。
Pros: 优点:
Cons: 缺点:
In Summary – if you have control of the clients, or can ensure they use SSL, HTTP Basic is a good choice. 总结 - 如果您可以控制客户端,或者可以确保它们使用SSL,则HTTP Basic是一个不错的选择。 The slowness of the SSL can be cancelled out by the speed of only making one request SSL的缓慢可以通过仅发出一个请求的速度来消除
Syntax of basic Authentication 基本认证的语法
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>
//at last Authorization key/value map added to http header as follows
Authorization: <Authorization Value>
HTTP Digest Access Authentication HTTP摘要访问身份验证
Digest Access Authentication uses the hashing(ie digest means cut into small pieces) methodologies to generate the cryptographic result. 摘要访问身份验证使用散列(即,摘要意味着切成小块)方法来生成加密结果。 HTTP Digest access authentication is a more complex form of authentication that works as follows: HTTP摘要访问身份验证是一种更复杂的身份验证形式,其工作方式如下:
Pros: 优点:
Cons: 缺点:
In Summary , HTTP Digest is inherently vulnerable to at least two attacks, whereas a server using strong encryption for passwords with HTTP Basic over SSL is less likely to share these vulnerabilities. 在摘要中 ,HTTP Digest本质上容易受到至少两次攻击,而使用HTTP基本SSL密码加密的服务器不太可能共享这些漏洞。
If you don't have control over your clients however they could attempt to perform Basic authentication without SSL, which is much less secure than Digest. 如果您无法控制客户端,则可以尝试在不使用SSL的情况下执行基本身份验证,这比Digest安全性低得多。
RFC 2069 Digest Access Authentication Syntax RFC 2069摘要访问身份验证语法
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:Hash2)
RFC 2617 Digest Access Authentication Syntax RFC 2617摘要访问身份验证语法
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
//some additional parameters added
In Postman looks as follows: 邮递员看起来如下:
Note: 注意:
Let us see the difference between the two HTTP authentication using Wireshark
(Tool to analyse packets sent or received) . 让我们看一下使用Wireshark
进行的两次HTTP身份验证之间的区别(用于分析发送或接收的数据包的工具)。
1. Http Basic Authentication 1. Http基本身份验证
As soon as the client types in the correct username:password ,as requested by the Web-server, the Web-Server checks in the Database if the credentials are correct and gives the access to the resource . 一旦客户端输入正确的用户名:密码 ,按照Web服务器的要求,Web服务器就会在数据库中检查凭据是否正确并提供对资源的访问权限。
Here is how the packets are sent and received : 以下是数据包的发送和接收方式:
In the first packet the Client fill the credentials using the POST method at the resource - lab/webapp/basicauth
.In return the server replies back with http response code 200 ok ,ie, the username:password were correct . 在第一个数据包中,客户端使用资源 - lab/webapp/basicauth
的POST方法填充凭证。作为回报,服务器回复http响应代码200 ok ,即用户名:密码是正确的。
Now , In the Authorization
header it shows that it is Basic Authorization followed by some random string .This String is the encoded (Base64) version of the credentials admin:aadd
(including colon ) . 现在,在Authorization
标头中,它显示它是基本授权,后跟一些随机字符串。此字符串是凭据admin:aadd
(包括冒号)的编码(Base64)版本。
2 . 2。 Http Digest Authentication (rfc 2069) Http摘要认证 (rfc 2069)
So far we have seen that the Basic Authentication sends username:password in plaintext over the network .But the Digest Auth sends a HASH of the Password using Hash algorithm. 到目前为止,我们已经看到基本身份验证通过网络以明文方式发送用户名:密码 。但是摘要身份验证使用哈希算法发送密码的HASH 。
Here are packets showing the requests made by the client and response from the server . 以下是显示客户端发出的请求和服务器响应的数据包。
As soon as the client types the credentials requested by the server , the Password is converted to a response
using an algorithm and then is sent to the server , If the server Database has same response as given by the client the server gives the access to the resource , otherwise a 401 error . 一旦客户端键入服务器请求的凭据,密码就会使用算法转换为response
,然后发送到服务器。如果服务器数据库具有客户端给出的相同响应,则服务器可以访问资源,否则401错误。
In the above Authorization
, the response
string is calculated using the values of Username
, Realm
, Password
, http-method
, URI
and Nonce
as shown in the image : 在上面的Authorization
, response
字符串是使用Username
, Realm
, Password
, http-method
, URI
和Nonce
的值计算的,如图所示:
Hence , we can see that the Digest Authentication is more Secure as it involve Hashing (MD5 encryption) , So the packet sniffer tools cannot sniff the Password although in Basic Auth the exact Password was shown on Wireshark. 因此,我们可以看到摘要式身份验证更安全,因为它涉及哈希(MD5加密),因此数据包嗅探器工具无法嗅探密码,尽管在Basic Auth中确切的密码显示在Wireshark上。
Basic Authentication use base 64 Encoding for generating cryptographic string which contains the information of username and password. 基本身份验证使用base 64 Encoding用于生成包含用户名和密码信息的加密字符串。
Digest Access Authentication uses the hashing methodologies to generate the cryptographic result 摘要访问身份验证使用散列方法生成加密结果
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.