HTTP基本身份验证，而不是客户端TLS认证 [英] HTTP Basic Authentication instead of TLS client certification

问题描述

下面的答案是从这个问题;

  

获奖的答案并不真正解决问题的。仅提及了在数据传输的上下文SSL和实际上不覆盖认证

  
  

你真的问安全验证REST API客户端。除非你使用TLS客户端认证，SSL独是不是一个REST API一个可行的认证机制。无客户端SSL authc只对服务器进行验证，这是无关紧要的大多数REST的API。

  
  

如果您不使用TLS客户端身份验证，您需要使用像一个基于摘要身份验证方案（如Amazon Web服务的定制方案）或OAuth的，甚至HTTP基本身份验证（但在SSL只）。

因此​​，考虑我会使用 HTTPS无客户端认证
我的问题是在这里说的海报，如果我们不使用客户端SSL认证服务器并不知道它的人交谈。如果我使用一个认证令牌来获得对服务器进行身份验证客户端我明白这里是。然后，服务器不知道谁发送令牌均匀如果令牌是搭配在我的服务器数据库中的用户ID。

首先

1，这是一个真正的问题？如果我特别是具有使用HTTPS？（不使用TLS客户端认证）

2和最重要的，假设是一个重要的安全漏洞;这里怎么能HTTP基本身份验证的帮助，海报提及？ HTTP基本身份验证只是在头发送的连接codeD的用户名密码。因此，当客户端收到令牌（回报他派他的用户名密码后），然后为他的请求的其余部分，他将利用此令牌在这头，而不是密码，一切都很好，突然？

不过服务器不会从那里请求是来自知道，也许服务器与在其数据库匹配的用户，但未知有效令牌谁真正*的发送的*它。
（虽然我仍然看到这个很难令牌将被偷走了HTTPS和其他人使用！）

每当我把这个题目我得到的答复..Well..you发送一个令牌，但服务器不知道谁送的道理，不是很安全，所以我理解这是浏览器保持一种权威性认证和服务器知道该请求是从正确的地方来了那么我可以肯定与该令牌（从我的数据库核对）配对用户是完全正确

也许我是什么告诉这里是不正确的。

解决方案

  

[中]海报说，如果我们不使用的客户端SSL认证服务器并不真正了解它的人交谈。

这不是我说:)这就是我说的：

  

除非你使用TLS客户端认证，SSL独是不是一个REST API一个可行的认证机制。

的单独的是这里的关键词。另外：

  

如果您不使用TLS客户端身份验证，则需要使用像一个基于摘要身份验证方案（如Amazon Web服务的定制方案）或OAuth的，甚至HTTP基本身份验证（但在SSL只）。

在换句话说，TLS客户端身份验证是验证一个REST API客户端的有一个的方式。因为原来那么问题是关于SSL具体而言，我提的是TLS客户authc是唯一的内置的认证形式，如果你仅仅依靠TLS。因此，如果您正在使用TLS，你不利用TLS客户端authc，你的必须的使用的身份验证的另一种形式来验证客户端。

有许多方式来验证的REST客户端。 TLS客户authc只是其中之一（只有'建'一个TLS通常非常安全）。然而，TLS是一个的网络的 - 电平协议，并通过最认为是太复杂了许多最终用户来配置。所以大多数REST API的产品选择更容易使用的的应用程序的-level协议，如HTTP，因为它更容易为大多数使用（例如只设置一个HTTP标头）。

所以，如果你打算HTTP头路线，你必须使用标头值来验证REST客户端。

在HTTP验证，您有一个标题，授权，其值（因为它通常用于身份验证和不经常访问的头名是相当不幸的控制，又名授权）。在授权标头值就是所使用的服务器进行认证，并且它的三个标记组成（通常）

1. 一个HTTP认证方案的名称，然后按


2. 空白（几乎总是空格字符），接着


3. 的具体方案文本值。

一个常见的​​HTTP认证方案是基本方案，这是非常......呃......基本:)。具体的方案文本值就是下面的计算值：

 字符串拼接=用户名+：+ raw_password;
字符串schemeSpecificTextValue = base_64_en code（concatenated.toCharArray（））;
 

所以，你可能会看到相应的头是这样的：

 授权：基本QWxhZGRpbjpvcGVuIHNlc2FtZQ ==
 

服务器知道如何解析值。它说：嘿，我知道了基本方案，所以我要采取尾随文本值的base64的德code 的它，然后我会的用户名和密码提交，然后我可以看到，如果这些值匹配我已经存储了什么。

这就是本质基本认证。由于该方案特别包括提交的原始的密码的base64 EN codeD，它不被视为安全的除非的使用TLS连接。 TLS担保（大部分）的窥视的眼睛无法拦截的头文件（例如，通过数据包检​​测），并看到密码是什么。这就是为什么你要的从不的使用HTTP基本身份验证，除非它是通过TLS连接。 总是的 - 即使是在公司内部网环境

当然也有其他更安全的HTTP验证机制。一个例子是使用基于摘要验证任何方案。

基于摘要身份验证方案更好，因为他们的方案文本值确实的不的包含提交密码。相反，某些数据的基于密码的散列（通常其他报头字段和值）的计算，并将结果放在授权头值。服务器将计算使用它本地存储密码相同的基于密码的哈希。如果服务器的计算值的请求的标头值相匹配，则服务器可以考虑认证该请求。

这也是为什么这项技术更安全：只有一个散列发送 - 而不是原始密码本身。也就是说，该技术可以被用来验证甚至在明文（非TLS）的连接的请求（但只要做到这一点，如果请求数据本身是不敏感当​​然）

某些基于摘要的身份验证方案：

• OAuth的1.0A，又名RFC 5849 。


• HTTP摘要访问认证（使用浏览器本身）。


• Stormpath的定制方案（全面披露，我Stormpath的CTO）。


• 亚马逊AWS的定制方案。

Stormpath的和亚马逊的是REST比OAuth的1.0A更安全，因为它们的总是的认证请求实体的有效载荷。 OAuth的1.0A不仅会为应用程序/ x-WWW的形式urlen codeD 的内容是不相关的使用REST API的应用程序/ XML 或应用程序/ JSON 的有效载荷（这似乎是最REST API的这些天）。

有趣的是，的OAuth2是的不的消化基础 - 它使用的东西，我认为不太安全，被称为承载令牌，这在我看来是有症状的OAuth 2的的various问题的。

最后，是的，这是一个无耻的插头，但如果你不想担心这个东西，只是使用 Stormpath （许多用例是免费的）。所以你的应用程序没有自动化，我们这个东西。

The answer below is from this question;

The awarded answer doesn't actually address the question at all. It only mentions SSL in the context of data transfer and doesn't actually cover authentication.

You're really asking about securely authenticating REST API clients. Unless you're using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API. SSL without client authc only authenticates the server, which is irrelevant for most REST APIs.

If you don't use TLS client authentication you'll need to use something like a digest-based authentication scheme (like Amazon Web Service's custom scheme) or OAuth or even HTTP Basic authentication (but over SSL only).

So considering I will use HTTPS without client certification my question here is poster says if we dont use client SSL certification server does not really know whom its talking to. What I understand here is if I use a authentication-token to access to authenticate the client against the server. Then server does not know whom is sending the token even if that token is paired with a user id in my servers database.

First of all

1-is this a real problem? If I especialy use Https?(without TLS client authentication)

2- and most important, assuming that is an important security flaw; How can Http basic authentication help here as poster mentioned? Http basic authentication just sends encoded username password in a header. So when client receives a token (in return after he sends his username password) then for the rest of his requests he will use this token in this header instead of password, and everything is fine all of a sudden?

Still Server does not know from where the request is coming from, maybe server has a valid token with a matched user in its database but unknown who really*send* it. (while I still see this very hard that the token would be stolen over https and used by someone else!)

Whenever I bring this subject I get replies.."Well..you send a token but server does not know whom send the token, not very secure" so I understand this as the browser keeps a sort of auth-certification and server knows where the request is coming from the right place THEN I can be sure that the paired user with that token (checked from my DB)is "really correct"

Or maybe what am telling here is not correct

解决方案

[the] poster says if we dont use client SSL certification server does not really know whom its talking to.

That's not what I said :) This is what I said:

Unless you're using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API.

alone being the key word here. Also:

If you don't use TLS client authentication, you'll need to use something like a digest-based authentication scheme (like Amazon Web Service's custom scheme) or OAuth or even HTTP Basic authentication (but over SSL only).

In other words, TLS client authentication is one way of authenticating a REST API client. Because the original SO question was about SSL specifically, I was mentioning that TLS client authc is the only 'built in' form of authentication if you're relying on TLS alone. Therefore, if you're using TLS, and you don't leverage TLS client authc, you must use another form of authentication to authenticate your client.

There are many ways to authenticate REST Clients. TLS client authc is just one of them (the only 'built in' one for TLS and usually very secure). However, TLS is a network-level protocol and is perceived by most to be too complicated for many end-users to configure. So most REST API offerings opt for an easier-to-use application-level protocol like HTTP because it is easier for most to use (e.g. just set an HTTP header).

So, if you're going the HTTP header route, you have to use a header value to authenticate a REST client.

In HTTP authentication, you have a header, Authorization, and its value (the header name is rather unfortunate because it is usually used for authentication and not as often for access control, aka authorization). The Authorization header value is what is used by the server to perform authentication, and it is composed (usually) of three tokens

1. An HTTP authentication scheme name, followed by
2. white space (almost always a space character), followed by
3. The scheme-specific text value.

One common HTTP authentication Scheme is the Basic scheme, which is very... well... basic :). The scheme-specific text value is simply the following computed value:

String concatenated = username + ":" + raw_password;
String schemeSpecificTextValue = base_64_encode(concatenated.toCharArray());

So you might see a corresponding header look like this:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

The server knows how to parse the value. It says "Hey, I know the Basic scheme, so I'm going to take the trailing text value, base64 decode it, and then I'll have the username and submitted password. Then I can see if those values match what I have stored."

And that's essentially Basic authentication. Because this scheme in particular includes the submitted raw password base64 encoded, it is not considered secure unless you use a TLS connection. TLS guarantees (mostly) that prying eyes can't intercept the headers (e.g. via packet inspection) and see what the password is. This is why you should never use HTTP Basic authentication unless it is over a TLS connection. Always - even in company intranet environments.

There are other even more secure HTTP Authentication schemes of course. An example is any scheme that that uses digest-based authentication.

Digest-based authentication schemes are better because their scheme text value does not contain the submitted password. Instead, a password-based-hash of certain data (often other header fields and values) is calculated and the result is put in the Authorization header value. The server calculates the same password-based-hash using the password it has stored locally. If the server's computed value matches the request's header value, the server can consider the request authenticated.

Here's why this technique is more secure: only a hash is transmitted - not the raw password itself. That means this technique can be used to authenticate requests even over clear-text (non TLS) connections (but you would only want to do this if the request data itself is not sensitive of course).

Some digest-based authentication schemes:

• OAuth 1.0a, aka RFC 5849.
• HTTP Digest Access authentication (used by browsers natively).
• Stormpath's custom scheme (full disclosure, I'm Stormpath's CTO).
• Amazon AWS's custom scheme.

Stormpath's and Amazon's are more secure for REST than OAuth 1.0a because they always authenticate the request entity payload. OAuth 1.0a only does this for application/x-www-form-urlencoded content which isn't relevant for REST APIs that use application/xml or application/json payloads (which appears to be most REST APIs these days).

Interestingly, OAuth2 is not digest based - it uses something I consider less secure, called 'bearer tokens', which is in my opinion symptomatic of OAuth 2's various problems.

Finally, and yes, this is a shameless plug, but if you don't want to worry about this stuff, just use Stormpath (many use cases are free). We automate this stuff so your apps don't have to.

这篇关于HTTP基本身份验证，而不是客户端TLS认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！