HTTP's Basic Authentication: A Story

File: stories/basic-authentication.pdf

Work alone or with a partner of your choosing.

Goals

Improve your Wireshark skills
Study the details of a non-trivial HTTP session over TCP
Connect your observations to the HTTP specification
Learn about HTTP Basic Authentication, and see its weaknesses in action.
Practice thinking about client/server interactions in terms of the plot of a story: what happens when? who does what? why did they do it that way? etc.

Rubric

9 - Description of the sequence of events 3 - Explanation of the "Authorization" header 3 - Clarity of exposition

Background

Several times this term, we will focus our attention on the idea of authentication. To make sure you're starting with the right idea, take a quick look at these pretty good descriptions of the related-but-very-different concepts of authentication authorizatio. Roughly and very briefly: authentication is the process of ensuring that the user of a system is who they say they are; authorization is the process of determining which resources and services a given authenticated user is allowed to use.

If you have a website, you can password-protect any resource on your site via HTTP's Basic Access Authentication model. If your site's web server is nginx, for example, you can protect a subdirectory by following these instructions.

For this assignment, you will be investigating the details and limitations of Basic Access Authentication. We'll be focusing here entirely on authentication by using a trivial authorization plan: the user will be authorized to see the contents of a particular web directory if and only if the user gets successfully authenticated.

Your job

I have set up HTTP Basic Authentication protection on http://cs338.jeffondich.com/basicauth/. Just between you and me, the user name is "cs338" and the password is the exceptionally secure "password".

Your job for this assignment is to use Wireshark to tell the story of what happens when you access my secrets folder via a web browser. You should provide as much detail as you can figure out about the interactions between the browser and cs338.jeffondich.com's nginx server. What queries are sent from the browser, and what responses does it receive? After the password is typed by the user, what sequence of queries and responses do you see? Is the password sent by the browser to the server, or does the browser somehow do the password checking itself? If the former, is the password sent in clear text or is it encrypted or something else? If it's encrypted, where did the encryption key come from? How does what you observe via Wireshark connect to the relevant sections of the HTTP and HTTP Basic Authentication specification documents? etc.

I'm not going to give you an exhaustive list of questions to address (though the ones in the previous paragraph are a pretty good start). I want you to do everything you can to understand what's going on in this browser/server interaction, and tell me the story of the interaction and your understanding of its mechanisms. You can get a lot of that understanding by doing research online, of course, and that's a good idea. But you should supplement that research by doing direct observations with a browser and Wireshark.

Hand in a PDF file telling your story. Include links and references as appropriate, and also screenshots and/or text from Wireshark to illustrate your observations. Consider the audience for this story-telling to be other CS majors who have not yet studied nginx's password protection. Depending on your expository style and the extent to which you include screenshots or text captures, I imagine your PDF will be between 3 and 10 pages.

Use your head. Be creative. Make this system cough up its secrets, and then tell me all about it.

Have fun!