๊ด€๋ฆฌ ๋ฉ”๋‰ด

IT’s Portfolio

[Web] HTTP ์ธ์ฆ - ๊ธฐ๋ณธ ์ธ์ฆ๊ณผ ๋‹ค์ด์ œ์ŠคํŠธ ์ธ์ฆ ๋ณธ๋ฌธ

Development Study

[Web] HTTP ์ธ์ฆ - ๊ธฐ๋ณธ ์ธ์ฆ๊ณผ ๋‹ค์ด์ œ์ŠคํŠธ ์ธ์ฆ

f1r3_r41n 2022. 11. 16. 00:14
728x90
๋ฐ˜์‘ํ˜•

๐Ÿ–ฅ HTTP authentication

๐Ÿฌ HTTP ์ธ์ฆ

  • ์ธ์ฆ: ์‚ฌ์šฉ์ž๊ฐ€ ๋ˆ„๊ตฌ์ธ์ง€ ์ฆ๋ช…ํ•˜๋Š” ์ž‘์—…
  • HTTP๋Š” ์ž์ฒด ์ธ์ฆ ์š”๊ตฌ/์‘๋‹ต ๊ธฐ๋Šฅ ์ œ๊ณต
    • 1๏ธโƒฃ (Client -> Server) Resource request
    • 2๏ธโƒฃ (Server -> Client) Authentication request
    • 3๏ธโƒฃ (Client -> User) Notify the user that they need authentication
    • 4๏ธโƒฃ (Client -> Server) Resource request with authentication info for the user
  • HTTP์—๋Š” ๊ธฐ๋ณธ ์ธ์ฆ๊ณผ ๋‹ค์ด์ œ์ŠคํŠธ ์ธ์ฆ ๋‘ ๊ฐ€์ง€์˜ ๊ณต์‹์ ์ธ ์ธ์ฆ ํ”„๋กœํ† ์ฝœ ์กด์žฌ

๐Ÿ‘ฟ Basic Authentication - ๊ธฐ๋ณธ ์ธ์ฆ

  • ๊ธฐ๋ณธ ์ธ์ฆ์€ ํ•„์š”์— ๋”ฐ๋ผ ๊ณ ์ณ ์“ธ ์ˆ˜ ์žˆ๋Š” ์ œ์–ด ํ—ค๋”๋ฅผ ํ†ตํ•ด ์ด๋ฃจ์–ด์ง

    Step Header Description Method/Status
    ์š”์ฒญ ์ฒ˜์Œ ํด๋ผ์ด์–ธํŠธ๊ฐ€ ์š”์ฒญํ•˜๋Š” ๋‹จ๊ณ„. ์ธ์ฆ ์ •๋ณด์™€ ํ—ค๋” ์—†์Œ GET
    ์ธ์ฆ ์š”๊ตฌ WWW-Authentication ์„œ๋ฒ„๊ฐ€ ์ธ์ฆ์ด ํ•„์š”ํ•˜๋‹ค๋ฉด ํ•ด๋‹น ํ—ค๋”๋ฅผ ํ†ตํ•ด ์‚ฌ์šฉ์ž์˜ ์ด๋ฆ„๊ณผ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์ œ๊ณตํ•˜๋ผ๋Š” ์ง€์‹œ๋ฅผ ํ•˜๊ณ  401 ์ƒํƒœ ์ •๋ณด์™€ ํ•จ๊ป˜ ์š”์ฒญ ๋ฐ˜๋ ค 401 Unauthorized
    ์ธ์ฆ Authorization ํด๋ผ์ด์–ธํŠธ๋Š” ์š”์ฒญ์„ ๋‹ค์‹œ ๋ณด๋‚ผ ๋•Œ ์ธ์ฆ ์•Œ๊ณ ๋ฆฌ์ฆ˜๊ณผ ์‚ฌ์šฉ์ž์˜ ์ด๋ฆ„, ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๊ธฐ์ˆ ํ•œ Authorization ํ—ค๋”๋ฅผ ๋ณด๋ƒ„ GET
    ์„ฑ๊ณต Authentication-Info ์„œ๋ฒ„๋Š” ๋ฐ›์€ ์ธ์ฆ ์ •๋ณด๊ฐ€ ์ •ํ™•ํ•˜๋‹ค๋ฉด ๋ฆฌ์†Œ์Šค์™€ ํ•จ๊ป˜ ์‘๋‹ต. Authentication-Info ํ—ค๋”๋Š” ์„ ํƒ์‚ฌํ•ญ์œผ๋กœ ํŠน์ •ํ•œ ์ธ์ฆ ์•Œ๊ณ ๋ฆฌ์ฆ˜์— ๋”ฐ๋ผ ์ธ์ฆ ์„ธ์…˜์— ๊ด€ํ•œ ์ถ”๊ฐ€ ์ •๋ณด๋ฅผ ๊ธฐ์ˆ ํ•ด ์‘๋‹ตํ•˜๊ธฐ๋„ ํ•จ 200 OK
  • ๊ธฐ๋ณธ ์ธ์ฆ์€ ํŽธ๋ฆฌํ•˜๊ณ  ์œ ์—ฐํ•˜์ง€๋งŒ ์•ˆ์ „ํ•˜์ง€ ์•Š์Œ

    • Reason: ์‚ฌ์šฉ์ž ์ด๋ฆ„๊ณผ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ํ‰๋ฌธ์œผ๋กœ ๋ณด๋‚ด๋Š”๋ฐ ์ด ์ •๋ณด๋ฅผ ์œ„์กฐํ•˜์ง€ ๋ชปํ•˜๊ฒŒ ๋ณดํ˜ธํ•˜๋Š” ์žฅ์น˜๊ฐ€ ๋ฏธํกํ•จ. Base-64 ์ธ์ฝ”๋”ฉ์„ ํ•˜์ง€๋งŒ ์‰ฝ๊ฒŒ ๋””์ฝ”๋”ฉ ๊ฐ€๋Šฅ

๐Ÿ˜ˆ Digest Authentication - ๋‹ค์ด์ œ์ŠคํŠธ ์ธ์ฆ

  • ๊ธฐ๋ณธ ์ธ์ฆ๊ณผ ํ˜ธํ™˜๋˜๋Š”๋ฐ ๊ธฐ๋ณธ ์ธ์ฆ๋ณด๋‹ค ์•ˆ์ „ํ•œ ์ธ์ฆ ๋ฐฉ๋ฒ•

  • Improvements

    1. ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ตํ•ด ํ†ต์‹ ํ•  ๋•Œ ํ‰๋ฌธ ์ „์†ก X
    2. ์ธ์ฆ ๊ณผ์ • ์ค‘ Sniffing, Snooping Attacker ์ฐจ๋‹จ
    3. ๋ฌด๊ฒฐ์„ฑ ์นจํ•ด ๋ฐฉ์ง€ ๊ตฌํ˜„ ๊ฐ€๋Šฅ

Focus of Digest Access Authentication

"์ ˆ๋Œ€๋กœ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ตํ•ด ๋ณด๋‚ด์ง€ ์•Š๋Š”๋‹ค."

  • ๊ทธ๋Œ€๋กœ ๋ณด๋‚ด๋Š” ๋Œ€์‹  ๋น„๊ฐ€์—ญ์ ์œผ๋กœ ์„ž์€ ์š”์•ฝ(Digest) ์ƒํƒœ๋กœ ๋ณด๋ƒ„
  • ์„œ๋ฒ„๋Š” ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์•Œ๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์š”์•ฝ๋งŒ์œผ๋กœ ๋น„๋ฐ€๋ฒˆํ˜ธ์— ๋Œ€์‘ํ•˜๋Š”์ง€ ๊ฒ€์‚ฌํ•˜์—ฌ ์ธ์ฆ ๊ฐ€๋Šฅ
  • ๊ณต๊ฒฉ์ž๋Š” ๋ชจ๋“  ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ๋Š” PW๋ฅผ ํ•˜๋‚˜์”ฉ ๋Œ€์ž…ํ•ด๋ณด์ง€ ์•Š๋Š” ์ด์ƒ ์•Œ ์ˆ˜ ์—†๊ธฐ์— ๋ณด์•ˆ์„ฑ์ด ์˜ฌ๋ผ๊ฐ

What is digest?

  • ์ •๋ณด, ๋ณธ๋ฌธ์˜ ์••์ถ•
  • Digest๋Š” ๋‹จ๋ฐฉํ–ฅ ํ•จ์ˆ˜๋กœ ๋™์ž‘. ๋ชจ๋“  ์ž…๋ ฅ๊ฐ’๋“ค์„ ์œ ํ•œํ•œ ๋ฒ”์œ„์˜ ๊ฐ’์œผ๋กœ ์••์ถ•ํ•˜์—ฌ ๋ณ€ํ™˜
  • ์ž์ฃผ ์“ฐ์ด๋Š” ์ธ๊ธฐ ์š”์•ฝ ํ•จ์ˆ˜: MD5
    • ์ž…๋ ฅ๊ฐ’์˜ ๋ฐ”์ดํŠธ ๋ฐฐ์—ด์„ ์›๋ž˜ ๊ธธ์ด์™€ ์ƒ๊ด€์—†์ด 128bit๋กœ ๋ณ€ํ™˜

Digest request์˜ ์•ˆ์ „์„ฑ

  • ๊ณต๊ฒฉ์ž๊ฐ€ ์ค‘๊ฐ„์— ์š”์•ฝ์„ ๊ฐ€๋กœ์ฑ„๊ณ  ํ•ด๋‹น ์š”์•ฝ์„ ์„œ๋ฒ„๋กœ ์ „์†กํ•˜์—ฌ ๋ฐ˜๋ณตํ•˜๋ฉด ์ ‘์†ํ•  ์ˆ˜ ์žˆ์Œ => ์žฌ์ „์†ก ๊ณต๊ฒฉ
  • ํ•ด๋‹น ๊ณต๊ฒฉ์„ ๋ง‰๊ธฐ ์œ„ํ•ด ์„œ๋ฒ„๋Š” ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ nonce ๋ผ๋Š” ํ† ํฐ์„ ๋ณด๋ƒ„
    • nonce๋Š” ๋Œ€๋žต 1ms ํ˜น์€ ์ธ์ฆํ•  ๋•Œ๋งˆ๋‹ค ๋ฐ”๋€œ
    • nonce๋ฅผ PW์— ์„ž์œผ๋ฉด nonce๊ฐ€ ๋ฐ”๋€” ๋•Œ๋งˆ๋‹ค ์š”์•ฝ๋„ ๋ฐ”๋€œ
      • ์ €์žฅ๋œ ๋น„๋ฐ€๋ฒˆํ˜ธ ์š”์•ฝ์ด ํŠน์ • nonce ๊ฐ’์— ๋Œ€ํ•ด์„œ๋งŒ ์œ ํšจ
  • 1๏ธโƒฃ (Client -> Server) Resource request
  • 2๏ธโƒฃ (Server) Generating nonce
  • 3๏ธโƒฃ (Server -> Client) WWW-Authenticate: including realm, nonce, algorithm
    • What is realm?
      • ์š”์ฒญ ๋ฐ›์€ ๋ฆฌ์†Œ์Šค ์ง‘ํ•ฉ์˜ ์ด๋ฆ„์„ ๋”ฐ์˜ดํ‘œ๋กœ ๊ฐ์‹ผ ๊ฒƒ
      • ๋ณด์•ˆ ์˜์—ญ
  • 4๏ธโƒฃ (Client -> Server) Authorization: sending digest
  • 5๏ธโƒฃ (Server) Verifying digest: generating rspauth digest & next nonce
    • What is rspauth?
      • response auth
  • 6๏ธโƒฃ (Server -> Client) Authentication-Info: resource & packaging rspauth digest, next nonce

Source of knowledge

  1. https://straw961030.tistory.com/111
  2. https://straw961030.tistory.com/118
728x90
๋ฐ˜์‘ํ˜•
Comments