摘要式身份验证的概念 - 它真的有效吗? [英] Concept of Digest authentication - does it really work?
问题描述
据我所知,摘要式身份验证(这是一种单向操作)对密码进行散列并将散列数据传输到服务器.然后服务器将使用存储的密码,对其进行散列,并与接收到的散列密码进行相等性比较.应该可以避免中间人攻击.
As far as i understand, Digest authentication (which is a one way operation) hash the password and transmit the hashed data to the server. The server then will use the stored password, hash it and compare with equality against the received hash password. Supposed to be safe from middle man attack.
我不明白的是,如果我是中间人黑客,我不需要原始密码.那么只需使用哈希密码,因为这是服务器将与之进行比较的密码.
What i don't understand is if i'm the middle man hacker, i don't need the original password. Well just use the hash password since that is the one which the server will compared against.
那么这个 Digest 认证机制有什么用呢?从这个总体概述来看似乎不起作用.
So what's the use of this Digest authentication mechanism? Doesn't seem to work from this general overview.
推荐答案
摘要式身份验证与您描述的方式不同.
Digest authentication doesn't work quite the way you've described.
- 服务器不会存储未散列的密码.服务器存储 Username:realm:password 的哈希值.
- 客户端不会为每次身份验证发送相同的哈希值.
摘要身份验证是一种质询-响应协议.为了启动这个过程,客户端请求一个受保护的 URL,服务器用域和一个 nonce.客户端使用realm和nonce来计算:
Digest auth is a challenge-response protocol. To start the process the client requests a protected URL and the server responds with the realm and a nonce. The client uses the realm and nonce to calculate:
md5(md5(username:realm:password):nonce:md5(httpMethod:uri))
随机数会导致每次身份验证产生不同的哈希值,从而防止重放攻击.此外,它确实提供了一些(较弱的)保护以防止攻击者窃听您的通信,因为明文密码不会通过网络传递,尽管这并不能阻止攻击者在获得哈希值后对其进行破解.
The nonce causes each authentication to produce a different hash value, and in doing so prevents replay attacks. Further, it does provide some (weak) protection against attackers listening in on your communication because the plaintext password doesn't pass over the wire, although this does not stop an attacker from cracking the hash once they have it.
这篇关于摘要式身份验证的概念 - 它真的有效吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
