CS 231: Computer Security

HTTP's Basic Authentication: A Story

Folder: stories

File: stories/basic-authentication.pdf

You will work with an assigned partner on this assignment. I'll make these assignments after you fill out a partner preference survey.

Goals

• Improve your Wireshark skills
• Study the details of a non-trivial HTTP session over TCP
• Connect your observations to the HTTP specification
• Learn about HTTP Basic Authentication, and see its weaknesses in action.
• Practice thinking about client/server interactions in terms of the plot of a story: what happens when? who does what? why did they do it that way? etc.

If you have a website, you can password-protect any resource on your site via HTTP's "basic access authentication" model. If your site's web server is nginx, for example, you can protect a subdirectory by following these instructions.

I have set up HTTP Basic Authentication protection on http://cs231.jeffondich.com/basicauth/. Just between you and me, the user name is "cs231" and the password is the exceptionally secure "password".

Your job for this assignment is to use Wireshark to tell the story of what happens when you access my secrets folder via a web browser. You should provide as much detail as you can figure out about the interactions between the browser and cs.carleton.edu's Apache server. What queries are sent from the browser, and what responses does it receive? After the password is typed by the user, what sequence of queries and responses do you see? Is the password sent by the browser to the server, or does the browser somehow do the password checking itself? If the former, is the password sent in clear text or is it encrypted? If it's encrypted, where did the encryption key come from? How does what you observe via Wireshark connect to the relevant sections of the HTTP and HTTP Basic Authentication specification documents? etc.

I'm not going to give you an exhaustive list of questions to address (though the ones in the previous paragraph are a pretty good start). I want you to do everything you can to understand what's going on in this browser/server interaction, and tell me the story of the interaction and your understanding of its mechanisms. You can get a lot of that understanding by doing research online, of course, and that's a good idea. But you should supplement that research by doing direct observations with a browser and Wireshark.

Hand in a PDF file telling your story. Include links and references as appropriate, and also screenshots and/or text from Wireshark to illustrate your observations. Consider the audience for this story-telling to be other CS majors who have not yet studied Apache's password protection. Depending on your expository style and the extent to which you include screenshots or text captures, I imagine your PDF will be between 3 and 10 pages.

Use your head. Be creative. Make this system cough up its secrets, and then tell me all about it.

Have fun!