Digest摘要认证
对于Basic认证方案来说,被传输的认证凭证仅仅采用Base64编码,所以包含密码的认证凭证基本上可以视为明文传输。Digest认证在此基础上进行了改善,在一定程度上提高了安全系数。
在了解Digest认证的工作原理之前,我们看看通过浏览器调用一个Digest认证的Web API会涉及怎样的消息交换
采用浏览器作为Web API调用的客户端,与Basic认证方式一样,浏览器会针对Web API 的第一次调用 会自动弹出登陆对话框
正确输入账号密码(Web API 配置文件中定义)后,输出结果会呈现在浏览器中。利用Fiddler我们会发现整个调用涉及两次消息交换
GET http://localhost:4003/api/values HTTP/1.1 Host: localhost:4003 Connection: keep-alive Cache-Control: max-age=0 Authorization: Digest username="", realm="UZ.COM", nonce="1b4d156b1af16f4ea72a040396d27f86", uri="/api/values", response="07e5a5012586dbffbad8040a923fb11a", qop=auth, nc=00000001, cnonce="4aee7270082bcd10" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 HTTP/1.1 401 Unauthorized Cache-Control: no-cache Pragma: no-cache Content-Type: application/xml; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.0 WWW-Authenticate: Digest realm="UZ.COM",nonce="4c4c15480802fe3bccb45605f1f4126d",qop="auth" X-AspNet-Version: 4.0.30319 X-SourceFiles: =?UTF-8?B?RTpcVGVzdFxEaWdlc3REZW1vXERpZ2VzdERlbW9cYXBpXHZhbHVlcw==?= X-Powered-By: ASP.NET Date: Fri, 12 Jun 2015 08:16:02 GMT Content-Length: 81 <Error><Message>Authorization has been denied for this request.</Message></Error>
GET http://localhost:4003/api/values HTTP/1.1 Host: localhost:4003 Connection: keep-alive Cache-Control: max-age=0 Authorization: Digest username="loding", realm="UZ.COM", nonce="4c4c15480802fe3bccb45605f1f4126d", uri="/api/values", response="9495b8ef2b5b1d6dd3001753293cca57", qop=auth, nc=00000001, cnonce="2dfe2e5c0b8a4000" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/xml; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-SourceFiles: =?UTF-8?B?RTpcVGVzdFxEaWdlc3REZW1vXERpZ2VzdERlbW9cYXBpXHZhbHVlcw==?= X-Powered-By: ASP.NET Date: Fri, 12 Jun 2015 08:17:21 GMT Content-Length: 195 <ArrayOfstring xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><string>value1</string><string>value2</string></ArrayOfstring>
验证流程:
1,客户端以匿名的方式发送一个请求
2,服务器返回状态为"401 Unauthorized",这个响应含有"WWW-Authenticate"报头
- Digest:表示当前的认证方式。
- realm:领域
- nonce:服务器生成的具有唯一性的字符串
- qop(Quanlity of Protection):IIS采用qop通知客户端采用的消息保护等级。可选的qop包括"auth"和"auth-int"。
前者表示仅限于基本的认证,后者则表示除了对客户端实施认证外,还需要确保传输内容的一致性。
3,客户端接收到返回的401状态后,会自动弹出一个登陆对话框
4,得到用户输入的用户名和密码,浏览器根据密码和服务端生成的nonce采用一种算法生成一个Digest,这个Digest会作为认证凭证放 到"Authorization"报头response中,随后向服务器发送请求
其他信息:
- username:代表客户端用户名
- nonce:就是服务器生成返回的那个nonce
- cnonce:这是客户端自行生成的nonce,它可以对请求内容进行签名以确保内容没有被篡改,同时也可以帮助客户端对服务器实施认证
- nc(nonce count):表示客户端针对同一个nonce发送请求的数量,随着请求的发送而不断递增。
IIS可以通过nc代表的数字来防止“重发攻击”。
5,服务器接收到请求后进行nc合法性验证等,然后确定客户端提供密码的正确性,完成对客户端的认证
Digest认证实现(源码下载)
https://coding.net/u/Allen_/p/ASP.NET-Web-API-2---Digest/git
验证实现的核心方法:
public class AuthenticationHandler : DelegatingHandler
{
protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
try
{
HttpRequestHeaders headers = request.Headers;
if (headers.Authorization != null)
{
Header header = new Header(request.Headers.Authorization.Parameter, request.Method.Method);
if (Nonce.IsValid(header.Nonce, header.NounceCounter))
{
string uzkey = ConfigurationManager.AppSettings["UZKey"];
string uzsecret = ConfigurationManager.AppSettings["UZSecret"];
string ha1 = HashHelper.GetMD5(String.Format("{0}:{1}:{2}", uzkey, header.Realm, uzsecret));
string ha2 = HashHelper.GetMD5(String.Format("{0}:{1}", header.Method, header.Uri));
string computedResponse = HashHelper.GetMD5(String.Format("{0}:{1}:{2}:{3}:{4}:{5}",
ha1, header.Nonce, header.NounceCounter, header.Cnonce, "auth", ha2));
if (String.CompareOrdinal(header.Response, computedResponse) == 0)
{
// digest computed matches the value sent by client in the response field.
// Looks like an authentic client! Create a principal.
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, header.UserName),
new Claim(ClaimTypes.AuthenticationMethod,AuthenticationMethods.Password)
};
ClaimsPrincipal principal = new ClaimsPrincipal(new[] { new ClaimsIdentity(claims, "Digest") });
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
HttpContext.Current.User = principal;
}
}
}
HttpResponseMessage response = await base.SendAsync(request, cancellationToken);
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Digest", Header.UnauthorizedResponseHeader.ToString()));
}
return response;
}
catch (Exception)
{
var response = request.CreateResponse(HttpStatusCode.Unauthorized);
response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Digest", Header.UnauthorizedResponseHeader.ToString()));
return response;
}
}
}
使用Digest认证还需要在全局配置文件中注册并在Controller中加[Authorize]属性标签
使用WebClient调用Web API
private static string Request(string sUrl, string sMethod, string sEntity, string sContentType,
out string sMessage)
{
try
{
sMessage = "";
using (System.Net.WebClient client = new System.Net.WebClient())
{
client.Credentials = CreateAuthenticateValue(sUrl);
Uri url = new Uri(sUrl);
byte[] bytes = Encoding.UTF8.GetBytes(sEntity);
byte[] buffer;
switch (sMethod.ToUpper())
{
case "GET":
buffer = client.DownloadData(url);
break;
case "POST":
buffer = client.UploadData(url, "POST", bytes);
break;
default:
buffer = client.UploadData(url, "POST", bytes);
break;
}
return Encoding.UTF8.GetString(buffer);
}
}
catch (WebException ex)
{
sMessage = ex.Message;
var rsp = ex.Response as HttpWebResponse;
var httpStatusCode = rsp.StatusCode;
var authenticate = rsp.Headers.Get("WWW-Authenticate");
return "";
}
catch (Exception ex)
{
sMessage = ex.Message;
return "";
}
}
private static CredentialCache CreateAuthenticateValue(string sUrl)
{
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(new Uri(sUrl), "Digest", new NetworkCredential("用户名", "密码"));
return credentialCache;
}