摘要和基本身份验证有什么区别?
[英]What is the difference between Digest and Basic Authentication?
问题描述
摘要和基本身份验证有什么区别?
4 个解决方案
解决方案1
171 已采纳 2012-03-02 14:10:51
Digest Authentication communicates credentials in an encrypted form by applying a hash function to the the username, the password, a server supplied nonce value, the HTTP method, and the requested URI. 
摘要式身份验证通过将哈希函数应用于用户名,密码,服务器提供的nonce值,HTTP方法和请求的URI来以加密形式传递凭据。
Whereas Basic Authentication uses unencrypted base64 encoding. 而基本身份验证使用未加密的base64编码。
Therefore Basic Authentication should generally only be used where transport layer security is provided such as https. 因此,通常只应在提供传输层安全性的地方使用基本身份验证,例如https。
See RFC-2617 for all the gory details. 有关所有血腥细节,请参阅RFC-2617 。
解决方案2
95 2015-12-04 22:49:41
HTTP Basic Access Authentication HTTP基本访问身份验证
- STEP 1 : the client makes a request for information, sending a username and password to the server in plain text 步骤1 :客户端发出信息请求,以明文形式向服务器发送用户名和密码
- STEP 2 : the server responds with the desired information or an error 第2步 :服务器以所需信息或错误响应
Basic Authentication uses base64 encoding(not encryption) for generating our cryptographic string which contains the information of username and password. 基本身份验证使用base64编码(非加密)生成包含用户名和密码信息的加密字符串。 HTTP Basic doesn't need to be implemented over SSL, but if you don't, it isn't secure at all. HTTP Basic不需要通过SSL实现,但如果不这样做,则根本不安全。 So I'm not even going to entertain the idea of using it without. 所以我甚至不会接受没有使用它的想法。
Pros: 优点:
- Its simple to implement, so your client developers will have less work to do and take less time to deliver, so developers could be more likely to want to use your API 它易于实现,因此您的客户端开发人员可以减少工作量并减少交付时间,因此开发人员可能更愿意使用您的API
- Unlike Digest, you can store the passwords on the server in whatever encryption method you like, such as bcrypt, making the passwords more secure 与摘要不同,您可以使用您喜欢的任何加密方法将密码存储在服务器上,例如bcrypt,使密码更安全
- Just one call to the server is needed to get the information, making the client slightly faster than more complex authentication methods might be 只需要一次调用服务器来获取信息,使客户端比更复杂的身份验证方法稍快一些
Cons: 缺点:
- SSL is slower to run than basic HTTP so this causes the clients to be slightly slower SSL的运行速度比基本HTTP慢,因此会导致客户端稍慢
- If you don't have control of the clients, and can't force the server to use SSL, a developer might not use SSL, causing a security risk 如果您无法控制客户端,并且无法强制服务器使用SSL,则开发人员可能不会使用SSL,从而导致安全风险
In Summary – if you have control of the clients, or can ensure they use SSL, HTTP Basic is a good choice. 总结 - 如果您可以控制客户端,或者可以确保它们使用SSL,则HTTP Basic是一个不错的选择。 The slowness of the SSL can be cancelled out by the speed of only making one request SSL的缓慢可以通过仅发出一个请求的速度来消除
Syntax of basic Authentication 基本认证的语法
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>
//at last Authorization key/value map added to http header as follows
Authorization: <Authorization Value>
HTTP Digest Access Authentication HTTP摘要访问身份验证
Digest Access Authentication uses the hashing(ie digest means cut into small pieces) methodologies to generate the cryptographic result. 摘要访问身份验证使用散列(即,摘要意味着切成小块)方法来生成加密结果。 HTTP Digest access authentication is a more complex form of authentication that works as follows: HTTP摘要访问身份验证是一种更复杂的身份验证形式,其工作方式如下:
- STEP 1 : a client sends a request to a server 步骤1 :客户端向服务器发送请求
- STEP 2 : the server responds with a special code (called a nonce ie n umber used only once ), another string representing the realm (a hash) and asks the client to authenticate 步骤2:将服务器与一个特殊的代码(称为响应现时只能使用一次即正红棕色),代表着另一个字符串境界 (散),并要求客户端进行身份验证
- STEP 3 : the client responds with this nonce and an encrypted version of the username, password and realm (a hash) 第3步:客户端使用此nonce以及用户名,密码和域的加密版本(哈希)进行响应
- STEP 4 : the server responds with the requested information if the client hash matches their own hash of the username, password and realm, or an error if not 步骤4 :如果客户端哈希与他们自己的用户名,密码和域的哈希匹配,则服务器使用所请求的信息进行响应,否则返回错误
Pros: 优点:
- No usernames or passwords are sent to the server in plaintext, making a non-SSL connection more secure than an HTTP Basic request that isn't sent over SSL. 没有用户名或密码以明文形式发送到服务器,使得非SSL连接比不通过SSL发送的HTTP Basic请求更安全。 This means SSL isn't required, which makes each call slightly faster 这意味着不需要SSL,这使得每个调用稍微快一些
Cons: 缺点:
- For every call needed, the client must make 2, making the process slightly slower than HTTP Basic 对于每次需要的调用,客户端必须使2,使进程稍微慢于HTTP Basic
- HTTP Digest is vulnerable to a man-in-the-middle security attack which basically means it could be hacked HTTP Digest容易受到中间人安全攻击,这基本上意味着它可能被黑客攻击
- HTTP Digest prevents use of the strong password encryption, meaning the passwords stored on the server could be hacked HTTP摘要阻止使用强密码加密,这意味着存储在服务器上的密码可能被黑客入侵
In Summary , HTTP Digest is inherently vulnerable to at least two attacks, whereas a server using strong encryption for passwords with HTTP Basic over SSL is less likely to share these vulnerabilities. 在摘要中 ,HTTP Digest本质上容易受到至少两次攻击,而使用HTTP基本SSL密码加密的服务器不太可能共享这些漏洞。
If you don't have control over your clients however they could attempt to perform Basic authentication without SSL, which is much less secure than Digest. 如果您无法控制客户端,则可以尝试在不使用SSL的情况下执行基本身份验证,这比Digest安全性低得多。
RFC 2069 Digest Access Authentication Syntax RFC 2069摘要访问身份验证语法
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:Hash2)
RFC 2617 Digest Access Authentication Syntax RFC 2617摘要访问身份验证语法
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
//some additional parameters added
In Postman looks as follows: 邮递员看起来如下:
Note: 注意:
- The Basic and Digest schemes are dedicated to the authentication using a username and a secret. Basic和Digest方案专用于使用用户名和密码进行身份验证。
- The Bearer scheme is dedicated to the authentication using a token. 承载方案专用于使用令牌进行认证。
解决方案3
34 2017-07-21 13:45:28
Let us see the difference between the two HTTP authentication using Wireshark (Tool to analyse packets sent or received) . 让我们看一下使用Wireshark进行的两次HTTP身份验证之间的区别(用于分析发送或接收的数据包的工具)。
1. Http Basic Authentication 1. Http基本身份验证
As soon as the client types in the correct username:password ,as requested by the Web-server, the Web-Server checks in the Database if the credentials are correct and gives the access to the resource . 一旦客户端输入正确的用户名:密码 ,按照Web服务器的要求,Web服务器就会在数据库中检查凭据是否正确并提供对资源的访问权限。
Here is how the packets are sent and received : 以下是数据包的发送和接收方式:
In the first packet the Client fill the credentials using the POST method at the resource -
lab/webapp/basicauth .In return the server replies back with http response code 200 ok ,ie, the username:password were correct . 在第一个数据包中,客户端使用资源 - lab/webapp/basicauth的POST方法填充凭证。作为回报,服务器回复http响应代码200 ok ,即用户名:密码是正确的。
Now , In the Authorization header it shows that it is Basic Authorization followed by some random string .This String is the encoded (Base64) version of the credentials admin:aadd (including colon ) . 现在,在Authorization标头中,它显示它是基本授权,后跟一些随机字符串。此字符串是凭据admin:aadd (包括冒号)的编码(Base64)版本。
2 . 2。 Http Digest Authentication (rfc 2069) Http摘要认证 (rfc 2069)
So far we have seen that the Basic Authentication sends username:password in plaintext over the network .But the Digest Auth sends a HASH of the Password using Hash algorithm. 到目前为止,我们已经看到基本身份验证通过网络以明文方式发送用户名:密码 。但是摘要身份验证使用哈希算法发送密码的HASH 。
Here are packets showing the requests made by the client and response from the server . 以下是显示客户端发出的请求和服务器响应的数据包。
As soon as the client types the credentials requested by the server , the Password is converted to a response using an algorithm and then is sent to the server , If the server Database has same response as given by the client the server gives the access to the resource , otherwise a 401 error . 一旦客户端键入服务器请求的凭据,密码就会使用算法转换为response ,然后发送到服务器。如果服务器数据库具有客户端给出的相同响应,则服务器可以访问资源,否则401错误。
In the above
Authorization , the response string is calculated using the values of Username , Realm , Password , http-method , URI and Nonce as shown in the image : 在上面的Authorization , response字符串是使用Username , Realm , Password , http-method , URI和Nonce的值计算的,如图所示:
(colons are included)
(包括冒号)
Hence , we can see that the Digest Authentication is more Secure as it involve Hashing (MD5 encryption) , So the packet sniffer tools cannot sniff the Password although in Basic Auth the exact Password was shown on Wireshark. 因此,我们可以看到摘要式身份验证更安全,因为它涉及哈希(MD5加密),因此数据包嗅探器工具无法嗅探密码,尽管在Basic Auth中确切的密码显示在Wireshark上。
解决方案4
0 2019-08-02 12:48:10
Basic Authentication use base 64 Encoding for generating cryptographic string which contains the information of username and password. 基本身份验证使用base 64 Encoding用于生成包含用户名和密码信息的加密字符串。
Digest Access Authentication uses the hashing methodologies to generate the cryptographic result 摘要访问身份验证使用散列方法生成加密结果
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.