为什么在基本身份验证中使用 Base64
[英]Why Base64 in Basic Authentication
问题描述
Why has the resulting string literal of username:password be encoded with Base64 in the Authorization header?
为什么生成的username:password字符串文字在 Authorization 标头中使用 Base64 编码? What's the background of it?它的背景是什么?
2 个解决方案
解决方案1
16 2014-11-12 07:36:19
To understand the following, you should have a clear understanding of the differences between "character set" and "character encoding" .要理解以下内容,你应该对“字符集”和“字符编码”的区别有一个清晰的认识。
Also, please keep in mind that Base64 is an encoding , and encoding is not encryption .另外,请记住Base64是一种编码,编码不是加密。 Anything encoded in Base64 is intentionally easy to decode.用 Base64 编码的任何内容都有意易于解码。
The Base64 encoding, most importantly, ensures that the user:pass characters are all part of the ASCII character set and ASCII encoded. Base64编码,最重要的是,确保 user:pass 字符都是ASCII字符集和 ASCII 编码的一部分。 A user:pass in HTTP Basic auth is part of the Authorization header-field value. HTTP Basic auth 中的 user:pass 是 Authorization 标头字段值的一部分。 HTTP header values are ASCII (or Extended ASCII) encoded/decoded. HTTP 标头值是 ASCII(或扩展 ASCII)编码/解码的。 So, when you Base64 encode a user:pass, you ensure that it is ASCII, and is therefore a valid header-field value.因此,当您对 user:pass 进行 Base64 编码时,请确保它是 ASCII,因此是有效的标头字段值。
Base64 encoding also adds at least some kind of obfuscation to the clear-text user:pass. Base64 编码还为明文 user:pass 添加了至少某种混淆。 Again, this is not encryption.同样,这不是加密。 But, it does prevent normal humans from reading a user:pass at a glance.但是,它确实会阻止普通人一目了然地阅读 user:pass。 This seems almost meaningless from a security perspective, and I only include it because of the following background info.从安全角度来看,这似乎几乎毫无意义,我之所以将其包括在内,是因为以下背景信息。
Some Background一些背景
If you have a look at RFC 2616 (now obsolete) and RFC 2617 , you'll see that they define both header field-values and Basic auth user:pass, respectively, as TEXT;如果您查看RFC 2616 (现已过时)和RFC 2617 ,您会发现它们分别将标头字段值和基本身份验证 user:pass 定义为 TEXT; ie, ISO-8859-1 OCTECTs (ISO-8859-1 is an 8-bit Extended ASCII encoding).即,ISO-8859-1 OCTECT(ISO-8859-1 是 8 位扩展 ASCII 编码)。 This is odd, because it makes it seem like the authors intended that a compliant user:pass should use the same character set/encoding as that required for HTTP headers, in which case the Base64 encoding seems pretty meaningless except for the trivial obfuscation.这很奇怪,因为这使得作者似乎打算让兼容的 user:pass 使用与 HTTP 标头所需的字符集/编码相同的字符集/编码,在这种情况下,Base64 编码似乎毫无意义,除了琐碎的混淆。
That said, it's hard to believe that the authors of those RFC's didn't think of usernames/passwords being in non-ASCII (non-ISO-8859-1) character sets.也就是说,很难相信那些 RFC 的作者没有想到用户名/密码是非 ASCII(非 ISO-8859-1)字符集。 Assuming they had non-ASCII user:passes in mind, they might have been concerned about how to include/maintain/transmit non-ASCII bytes in the middle of an all ASCII set of headers.假设他们有非 ASCII user:passes,他们可能会担心如何在所有 ASCII 标头集的中间包含/维护/传输非 ASCII 字节。 Base64 encoding the user:pass certainly solves that problem nicely. Base64 编码 user:pass 当然很好地解决了这个问题。 There's also the more canonical reason for using Base64 -- to make data transmission more reliable .使用 Base64 还有一个更规范的原因——使数据传输更可靠。 My understanding is that HTTP is 8-bit clean ;我的理解是 HTTP 是8-bit clean ; even though the headers are shipped as ASCII, I don't think the Base64 encoding of user:pass was to make its transmission more reliable.即使标头以 ASCII 形式提供,我不认为 user:pass 的 Base64 编码是为了使其传输更可靠。
Without asking the original authors, I'm not sure we'll ever know for sure.如果不问原作者,我不确定我们是否会确定。 Here's an interesting comment on the topic by Julian Reschke . 这是 Julian Reschke 对该主题的有趣评论。 He's the author of RFC 5987, Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters .他是RFC 5987, Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters的作者。 He has also done a lot of work on HTTP RFCs, including the latest HTTP 1.1 RFC overhaul.他还在 HTTP RFC 方面做了大量工作,包括最新的 HTTP 1.1 RFC 大修。
The current HTTP 1.1 RFC which deals with HTTP header encoding, RFC 7230 , now recommends USASCII (aka ASCII, 7-bit ASCII) for headers.当前处理 HTTP 标头编码的 HTTP 1.1 RFC RFC 7230现在建议标头使用 USASCII(又名 ASCII,7 位 ASCII)。 RFC 5987 defines a header parameter encoding spec -- presumably some are using this. RFC 5987定义了一个标头参数编码规范——大概有些人正在使用它。 RFC 7235 is a recent update to RFC 2617 on HTTP Authentication. RFC 7235是关于 HTTP 身份验证的 RFC 2617 的最新更新。
解决方案2
6 已采纳 2012-12-01 16:40:41
This is the production rule for the userid-password tuple before it's encoded:这是userid-password元组在编码之前的生产规则:
userid-password = [ token ] ":" *TEXT
Here token is specified as follows:这里的token指定如下:
token = 1*<any CHAR except CTLs or tspecials>
This is basically any US-ASCII character within the range of 32 to 126 but without some special characters ( ( , ) , < , > , @ , , , ; , : , \ , " , / , [ , ] , ? , = , { , } , space, and horizontal tab).这基本上是 32 到 126 范围内的任何 US-ASCII 字符,但没有一些特殊字符( ( , ) , < , > , @ , , , ; , : , \ , " , / , [ , ] , ? , = 、 { 、 } 、空格和水平制表符)。
And TEXT is specified as follows:并且TEXT指定如下:
TEXT = <any OCTET except CTLs,
but including LWS>
This is basically any octet (0–255) sequence except control characters (codepoints 0–31, 127) but including linear whitespace sequences, which is one or more space or horizontal tab characters that may be preceded by a CRLF sequence:这基本上是除控制字符(代码点 0-31、127)外的任何八位字节(0-255) 序列,但包括线性空白序列,它是一个或多个空格或水平制表符,前面可能有一个 CRLF 序列:
LWS = [CRLF] 1*( SP | HT )
Although this doesn't break a header field value, LWS has the same semantics as a single space :尽管这不会破坏标头字段值,但LWS具有与单个空格相同的语义:
All linear whitespace, including folding, has the same semantics as SP.
And to keep such sequences as is, the string is encoded before it's placed as field value.为了保持这样的序列不变,字符串在作为字段值放置之前被编码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.