Friday, January 23, 2004

Authentication

Authentication
HTTP Authentication is needed to secure web resources, including directories, files and services, including cgi, servlets and web services. The following list of authentication types are the most common and supported by a wide variety of servers and clients.

  • Anonymous
    No challenge to http resources.
  • Basic
    Sends the password in the http header unencrypted. Supported by most servers, clients and browsers.
  • Digest
    Similar to basic, but sends password encrypted so more secure. Supported by Apache with a module and IIS natively.
  • Forms
    A session id based on identity is kept in a Cookie and passed in the http header. Cookies are specific to the browser instance. IIS also provides a framework for implementing this.
  • Passport
    Microsoft's single sign on solution, with a centralized solution. Native support in IIS/Windows 2003, browser support is not limited to IE.
  • Kerberos
    A network authentication protocol, implementation available free from MIT and commercially from many vendors, including Microsoft IIS. While the MS implementation in Windows 2000 does use windows user accounts, it is not specific only to IE.
  • NTLM
    A Windows Integrated authentication similar to Kerberos, but for prior versions of Windows.
  • Certificates (X.509)
    The client maintains a digital certificate. "Digital certificates are, in essence, electronic ID cards that are issued by trusted parties and enable a user to verify both the sender and the recipient of the certificate through the use of public-key cryptography." Both IBM's Tivoli and IIS support certificates. Not all clients and browsers support certificates because a client install is required.

What this means to the enterprise

Since proprietary SSO products are typically based exclusively on a Forms style authentication, it is a strongly encrypted authentication, but we are limited to clients that support it. Also the session is limited a single client session. This means that if you start up another session you will be forced to login again. I believe that we should continue to support basic authentication in 8.1 and moving forward we should support the emerging standards, such as X.509 and Kerberos.

References

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/netdevanchor.asp
  • http://as400bks.rochester.ibm.com/tividd/td/TWS/SC32-1265-00/en_US/HTML/Eqqc1mst72.htm
  • http://web.mit.edu/kerberos/www/
  • http://support.microsoft.com/?id=264921
    • Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)