几种认证技术总结
典型技术:基本认证、摘要认证、消息认证码、JWT、单点登录(CAS 流程、OpenID)
基本认证(Basic Access Authentication)
https://en.wikipedia.org/wiki/Basic_access_authentication
在 HTTP 用户代理(如:网页浏览器)请求时,提供用户名和密码的一种方式。
HTTP 请求头会包含
Authorization
字段,形式如下:Authorization: Basic <凭证>
,该凭证是Base64("username:password")
。最初,基本认证是定义在 HTTP 1.0 规范(RFC 1945)中,后续的有关安全的信息可以在 HTTP 1.1 规范(RFC 2616)和 HTTP 认证规范(RFC 2617)中找到。于 1999 年 RFC 2617 过期,于 2015 年的 RFC 7617 重新被定义。
摘要认证(Digest Access Authentication)
https://en.wikipedia.org/wiki/Digest_access_authentication
摘要认证是一种比基本认证更安全的认证方式:
It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.
Technically, digest access authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.
摘要认证最初由 RFC 2069 中被定义。RFC 2069 大致定义了一个传统的由服务器生成随机数(nonce)来维护安全性的摘要认证架构。
RFC 2069 随后被 RFC 2617 取代。RFC 2617 引入了一系列安全增强的选项。
消息认证码(Message Authentication Code)
https://en.wikipedia.org/wiki/Message_authentication_code
In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects a message’s data integrity, as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
HMAC
What is an HMAC?
A hash-based message authentication code (HMAC, 散列消息认证码) is a type of message authentication code involving:
- a cryptographic hash function
- a secret cryptographic key
If any change is made to the data being sent, the resulting HMAC will be completely different from the original. Additionally, since the key is known only to the sender and the receiver, no valid HMAC can be regenerated by anyone else.
HMAC 也是一种摘要认证方式,但相比上述两种认证方式仅保证用户的真实性(Authenticity),HMAC 还能同时保证传输数据的:
- 完整性(Integrity)
- 真实性(Authenticity)
- 不可抵赖性(Non-repudiation)
HMAC 使用场景 —— HTTP 请求参数校验
All you need to do is take the HTTP request body and apply the SHA-256 hash function to it, using the secret key as the hash key. You then compare the resulting HMAC to the one contained in the Signature header:
- If the HMACs are identical, then the data corresponds to what sender sent.
- If they are different, this indicates that the data has been intercepted and altered in some way.
Java 使用例子:https://www.baeldung.com/java-hmac