Abstract
This report is a short review about the basic authentication schemes found in World Wide Web. The general idea about authentication techniques like HTTP/1.0, Basic Access Authentication, Digest Access Authentication are obtained from this short review. It also discuss about the advantages and disadvantages by implementing the each scheme. The schemes can be identified and applied with respect to the level of confidentiality and importance of the information. The Basic authentication sends cleartext and Digest access authentication create a checksum to make it unreadable to unauthorized people who tries to access the password.
Introduction
World Wide Web is the largest network in the world, which integrates each and every computer system availing Internet facility across the world. Hence there is always chance of unauthorized access to the systems or the resources. Hacking the system or system resources means to damage or to steal or to alter the important and confidential information of the system. If the access is restricted by applying best available authentication techniques the illegal intrusion is prevented to a great extent. This report describes about the currently available or developed authentication schemes being adopted by different websites to ensure secured access to authorized users.
WWW : Vulnerabilities
The connectivity of a client and the web server adheres with certain principles or protocols. The important protocol responsible for providing Internet facility is TCP/IP protocol. But this protocol was not developed or designed to ensure proper security to the Internet system. But it only concentrates in successful data communication. The weaknesses due to lack of proper security in information exchange or communication is boon for the attacker who can easily access any system that he wants by using specific coding or programming techniques. It has already been confirmed that a large number of such programs are available openly in the Internet.
Some categories of such programs called “sniffer” programs can reveal the details regarding network traffic on an Ethernet hub by stealing POP3 password from the network system. To overcome these kinds of loopholes IT specialists developed several security programs that deter such unlawful activities. Secure Socket Layer (SSL), and TSL are some of the standard protocols, which ensure effective protection against such attacks. Different types of encryption methods are used by these standard protocols to make the network connectivity as a secure channel for information exchange.
Authentication Process
Although security in web access has its relevance, but the users always demand maximum convenience over complications in the name of security. So the most convenient authentication method existing today is password protection system. It balances the both the requirements, convenience as well as security. But it is always advisable that users should use strong password combining alpha-numeric characters with special characters and they should frequently change their passwords.
Web Authentication Schemes
Mainly there are two types of Authentication processes used in Web Technology. They are called “basic” and “digest”. Basic authentication method supplies password by encoding it by simple steps. Due to this these types of passwords can easily be transcribed and detected by sniffing the network traffic. And it is not an Herculean task for the professional hackers. Digest authentication is termed as challenge response protocol. It never allows the password to pass on in the clear. Digest authentication is a perfect alternative for the SSL. The other technique available as an alternative method for authentication is called HTML forms.
Forms are compatible with almost every web browsers and provide a typical mechanism to the users to input data into a website. Normally the web server least concerned about the data. Data is transmitted to the web application. Forms protect the confidentiality of the password entered into the box by changing it unclear or ambiguous. Forms possess high level of flexibility due to which web developers design it compatible to the surrounding HTML page.
But using forms one cannot expect the assistance of web server for whole authentication. Forms itself responsible for the entire authentication process and it makes the system complex and possibility of bugs is expected all the time causing security vulnerabilities. The next portion is emphasized about the various authentication schemes used for web security. The latter portion of this report reveals about the schemes of authentication.
HTTP Authentication
HTTP Authentication is most popular authentication technique used in almost every web-oriented information exchanging system, i.e. between web server and browser. This authentication technique restricts user who intends to access the protected site. Normally HTTP authentication process asks user name and password through a pop-up dialog box. Though this process is simple and can easily applied into the web server and browser, but it has demerits too. One of the disadvantages it possess is no web developer has any control over the display or look of the authentication message box (pop-up box).
Without proper customization due to non-compatible between website and pop-up, one find it ugly. This way “HTTP provides a simple challenge-response authentication mechanism that MAY be used by a server to challenge a client request and by a client to provide authentication information.” (Franks, et al, Access authentication framework, 1999).
Basic Authentication Scheme
The “basic” authentication scheme insists the client or user to authenticate by inputting authentication ID and password each and every time of access. “The realm value should be considered an opaque string which can only be compared for equality with other realms on that server.” (Franks, et al, Basic Authentication Scheme, 1999). On getting the client request, the server responds only after due verification and proper validation of User-ID and password. Apart from this no other authentication parameters are available in this scheme.
Digest Access Authentication Scheme
One can never expect a cent percent fool proof authentication security from the above-mentioned protocols such as HTTP/1.0 and Basic Access Authentication scheme. Because these protocols simply pass user-id and password over to the network without changing its form or as a cleartext. No encryption method is followed by them. A modified system called Digest Access Authentication then developed, which solved this problem of transmission of cleartext.
It also works on the similar fashion of Basic Access Authentication as simple challenge-response paradigm. The scheme uses a nonce for authentication process. Corresponding response should be a checksum of user-id, password and identical nonce value. Hence the password is never transmitted as cleartext. The algorithm creates the checksum using user-id, password and an identifier. “An optional header allows the server to specify the algorithm used to create the checksum or digest.” (Franks, et al, Representation of digest value, 1999).
The most popular algorithm used for Digest Access Authentication Scheme is MD5 algorithm. MD5 uses 128 bits to represent 32 ASCII printable characters. For the ASCII presentation MD5 converts the bits from most significant to least significant bit. This authentication method also does have many limitations. Though it can be used as an alternative to Basic authentication but it cannot provide the security as Kerberos or any other client-side private-key scheme and it may affect with the same difficulties of any other authentication systems.
Summary
This report discussed about the available authentication schemes such as HTTP/1.1, Basic Authentication Scheme and Digest Access Authentication Scheme. As far as for basic authentication the above systems are good, but considering the modern cryptographic standards the above protocols are very weak. Even though Digest Authentication, which is comparably better than Basic Authentication, is widely accepted to implement in web authentication. Currently the IT specialists discovered multi encryption methods that are not possible to break easily.
References
Franks, et al. Access authentication framework. (1999). HTTP Authentication. 4. Web.
Franks, et al. Basic authentication scheme. (1999). HTTP Authentication. 6. Web.
Franks, et al. Representation of digest value: Digest access authentication scheme. (1999). HTTP Authentication. 7. Web.