Re: 'Basic' Authentication...
Peter J Churchyard (pjc@trusted.com)
Fri, 26 Jan 1996 20:00:00 -0500 (EST)
Along the lines of
-----------------------------------------------------------------------------
12.1 Authentication of Clients
As mentioned in Section 11. WWW-Authenticate provides a challenge
response mechanism. Section 11.1 describes the Basic authentication
scheme which allows the client to present the realm data to the
user and for the user to enter a response.
Basic authentication scheme makes no attempt to hide the users
response but when used inconjunction with one-time password systems
can still lead to a high level trust for this one request.
Basic authentication when used with re-usable passwords is NOT a
secure method of user authentication.
Basic authentication does not prevent the Entity-Body from being
transmitted in clear text across the physical network used as the
carrier.
HTTP/1.0 does not prevent additional authentication schemes and
encryption mechanisms from being employed to increase security.
-----------------------------------------------------------------------------
I don't believe that we need to explain what one-time passwords are or the
details in implementing them. Some one-time systems need prior knowledge
(S/Key, Digital Pathways SNK) other do not ( Securid and other time based
systems).
Can WWW-Authenticate headers be sent only in a 401 Response? or could they be
added to all responses? Useful when using smartcards and other automatic
/non-manual systems.
Pete.
--
The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850