Internet Engineering Task Force (IETF) J. Reschke Request for Comments: 7617 greenbytes Obsoletes: 2617 September 2015 Category: Standards Track ISSN: 2070-1721
Internet Engineering Task Force (IETF) J. Reschke Request for Comments: 7617 greenbytes Obsoletes: 2617 September 2015 Category: Standards Track ISSN: 2070-1721
The 'Basic' HTTP Authentication Scheme
“基本”HTTP身份验证方案
Abstract
摘要
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) authentication scheme, which transmits credentials as user-id/ password pairs, encoded using Base64.
本文档定义了“基本”超文本传输协议(HTTP)身份验证方案,该方案以用户id/密码对的形式传输凭据,并使用Base64编码。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7617.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7617.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology and Notation . . . . . . . . . . . . . . . . 3 2. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . 3 2.1. The 'charset' auth-param . . . . . . . . . . . . . . . . 5 2.2. Reusing Credentials . . . . . . . . . . . . . . . . . . . 7 3. Internationalization Considerations . . . . . . . . . . . . . 8 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . 11 Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . 13 Appendix B. Deployment Considerations for the 'charset' Parameter . . . . . . . . . . . . . . . . . . . . . 13 B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 13 B.2. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 13 B.3. Why not simply switch the default encoding to UTF-8? . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology and Notation . . . . . . . . . . . . . . . . 3 2. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . 3 2.1. The 'charset' auth-param . . . . . . . . . . . . . . . . 5 2.2. Reusing Credentials . . . . . . . . . . . . . . . . . . . 7 3. Internationalization Considerations . . . . . . . . . . . . . 8 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . 11 Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . 13 Appendix B. Deployment Considerations for the 'charset' Parameter . . . . . . . . . . . . . . . . . . . . . 13 B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 13 B.2. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 13 B.3. Why not simply switch the default encoding to UTF-8? . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) authentication scheme, which transmits credentials as user-id/ password pairs, encoded using Base64 (HTTP authentication schemes are defined in [RFC7235]).
本文档定义了“基本”超文本传输协议(HTTP)身份验证方案,该方案以用户id/密码对的形式传输凭证,使用Base64编码(HTTP身份验证方案在[RFC7235]中定义)。
This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, [RFC5246]), as the user-id and password are passed over the network as cleartext.
除非与某些外部安全系统(如TLS(传输层安全[RFC5246])结合使用,否则该方案不被视为用户身份验证的安全方法,因为用户id和密码以明文形式通过网络传递。
The "Basic" scheme previously was defined in Section 2 of [RFC2617]. This document updates the definition, and also addresses internationalization issues by introducing the 'charset' authentication parameter (Section 2.1).
[RFC2617]第2节对“基本”方案进行了定义。本文档更新了定义,并通过引入“charset”身份验证参数(第2.1节)解决了国际化问题。
Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" ([RFC7235], defining the authentication framework), "HTTP Digest Access Authentication" ([RFC7616], updating the definition of the "Digest" authentication scheme), and "HTTP Authentication-Info and Proxy-Authentication-Info Response Header Fields" ([RFC7615]). Taken together, these four documents obsolete RFC 2617.
更新RFC 2617的其他文档包括“超文本传输协议(HTTP/1.1):身份验证”([RFC7235],定义身份验证框架)、“HTTP摘要访问身份验证”([RFC7616],更新“摘要”身份验证方案的定义)和“HTTP身份验证信息和代理身份验证信息响应头字段”([RFC7615])。综上所述,这四份文件已过时RFC 2617。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The terms "protection space" and "realm" are defined in Section 2.2 of [RFC7235].
[RFC7235]第2.2节定义了术语“保护空间”和“领域”。
The terms "(character) repertoire" and "character encoding scheme" are defined in Section 2 of [RFC6365].
术语“(字符)指令集”和“字符编码方案”在[RFC6365]第2节中定义。
The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). The realm value is a free-form string that can only be compared for equality with other realms on that server. The server will service the request only if it can validate the user-id and password for the protection space applying to the requested resource.
基本身份验证方案基于这样一种模型,即客户端需要使用每个保护空间(“领域”)的用户id和密码对自己进行身份验证。领域值是一个自由格式的字符串,只能与该服务器上的其他领域进行平等性比较。只有当服务器能够验证应用于请求资源的保护空间的用户id和密码时,服务器才会为请求提供服务。
The Basic authentication scheme utilizes the Authentication Framework as follows.
基本身份验证方案使用以下身份验证框架。
In challenges:
在挑战中:
o The scheme name is "Basic".
o 方案名称为“基本”。
o The authentication parameter 'realm' is REQUIRED ([RFC7235], Section 2.2).
o 身份验证参数'realm'是必需的([RFC7235],第2.2节)。
o The authentication parameter 'charset' is OPTIONAL (see Section 2.1).
o 身份验证参数“charset”是可选的(参见第2.1节)。
o No other authentication parameters are defined -- unknown parameters MUST be ignored by recipients, and new parameters can only be defined by revising this specification.
o 未定义其他身份验证参数——收件人必须忽略未知参数,并且只能通过修改此规范来定义新参数。
See also Section 4.1 of [RFC7235], which discusses the complexity of parsing challenges properly.
另请参见[RFC7235]的第4.1节,其中讨论了解析挑战的复杂性。
Note that both scheme and parameter names are matched case-insensitively.
请注意,方案和参数名称都是不区分大小写的匹配。
For credentials, the "token68" syntax defined in Section 2.1 of [RFC7235] is used. The value is computed based on user-id and password as defined below.
对于凭证,使用[RFC7235]第2.1节中定义的“token68”语法。该值是根据以下定义的用户id和密码计算的。
Upon receipt of a request for a URI within the protection space that lacks credentials, the server can reply with a challenge using the 401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW-Authenticate header field ([RFC7235], Section 4.1).
在收到保护空间内缺少凭据的URI请求后,服务器可以使用401(未经授权)状态代码([RFC7235],第3.1节)和WWW Authenticate标头字段([RFC7235],第4.1节)进行质询。
For instance:
例如:
HTTP/1.1 401 Unauthorized Date: Mon, 04 Feb 2014 16:50:53 GMT WWW-Authenticate: Basic realm="WallyWorld"
HTTP/1.1 401 Unauthorized Date: Mon, 04 Feb 2014 16:50:53 GMT WWW-Authenticate: Basic realm="WallyWorld"
where "WallyWorld" is the string assigned by the server to identify the protection space.
其中,“WallyWorld”是服务器分配的用于标识保护空间的字符串。
A proxy can respond with a similar challenge using the 407 (Proxy Authentication Required) status code ([RFC7235], Section 3.2) and the Proxy-Authenticate header field ([RFC7235], Section 4.3).
代理可以使用407(需要代理身份验证)状态代码([RFC7235],第3.2节)和代理身份验证标头字段([RFC7235],第4.3节)响应类似的质询。
To receive authorization, the client
要接收授权,客户端
1. obtains the user-id and password from the user,
1. 从用户处获取用户id和密码,
2. constructs the user-pass by concatenating the user-id, a single colon (":") character, and the password,
2. 通过连接用户id、单个冒号(“:”)字符和密码来构造用户过程,
3. encodes the user-pass into an octet sequence (see below for a discussion of character encoding schemes),
3. 将用户密码编码为八位字节序列(有关字符编码方案的讨论,请参见下文),
4. and obtains the basic-credentials by encoding this octet sequence using Base64 ([RFC4648], Section 4) into a sequence of US-ASCII characters ([RFC0020]).
4. 并通过使用Base64([RFC4648],第4节)将此八位字节序列编码为US-ASCII字符序列([RFC0020])来获取基本凭证。
The original definition of this authentication scheme failed to specify the character encoding scheme used to convert the user-pass into an octet sequence. In practice, most implementations chose either a locale-specific encoding such as ISO-8859-1 ([ISO-8859-1]), or UTF-8 ([RFC3629]). For backwards compatibility reasons, this specification continues to leave the default encoding undefined, as long as it is compatible with US-ASCII (mapping any US-ASCII character to a single octet matching the US-ASCII character code).
此身份验证方案的原始定义未能指定用于将用户过程转换为八位字节序列的字符编码方案。实际上,大多数实现要么选择特定于语言环境的编码,如ISO-8859-1([ISO-8859-1]),要么选择UTF-8([RFC3629])。出于向后兼容的原因,本规范继续保留未定义的默认编码,只要它与US-ASCII兼容(将任何US-ASCII字符映射到与US-ASCII字符代码匹配的单个八位字节)。
The user-id and password MUST NOT contain any control characters (see "CTL" in Appendix B.1 of [RFC5234]).
用户id和密码不得包含任何控制字符(参见[RFC5234]附录B.1中的“CTL”)。
Furthermore, a user-id containing a colon character is invalid, as the first colon in a user-pass string separates user-id and password from one another; text after the first colon is part of the password. User-ids containing colons cannot be encoded in user-pass strings.
此外,包含冒号字符的用户id无效,因为用户传递字符串中的第一个冒号将用户id和密码彼此分离;第一个冒号后的文本是密码的一部分。包含冒号的用户ID不能在用户传递字符串中编码。
Note that many user agents produce user-pass strings without checking that user-ids supplied by users do not contain colons; recipients will then treat part of the username input as part of the password.
请注意,许多用户代理在不检查用户提供的用户ID是否不包含冒号的情况下生成用户传递字符串;然后,收件人将部分用户名输入视为密码的一部分。
If the user agent wishes to send the user-id "Aladdin" and password "open sesame", it would use the following header field:
如果用户代理希望发送用户id“Aladdin”和密码“open sesame”,则将使用以下标题字段:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
In challenges, servers can use the 'charset' authentication parameter to indicate the character encoding scheme they expect the user agent to use when generating "user-pass" (a sequence of octets). This information is purely advisory.
在挑战中,服务器可以使用“charset”身份验证参数来指示它们希望用户代理在生成“用户通行证”(八位字节序列)时使用的字符编码方案。这些信息纯粹是建议性的。
The only allowed value is "UTF-8"; it is to be matched case-insensitively (see [RFC2978], Section 2.3). It indicates that the server expects character data to be converted to Unicode Normalization Form C ("NFC"; see Section 3 of [RFC5198]) and to be encoded into octets using the UTF-8 character encoding scheme ([RFC3629]).
唯一允许的值是“UTF-8”;在不敏感的情况下进行匹配(见[RFC2978],第2.3节)。它表示服务器希望将字符数据转换为Unicode规范化格式C(“NFC”;参见[RFC5198]第3节),并使用UTF-8字符编码方案([RFC3629])将其编码为八位字节。
For the user-id, recipients MUST support all characters defined in the "UsernameCasePreserved" profile defined in Section 3.3 of [RFC7613], with the exception of the colon (":") character.
对于用户id,收件人必须支持[RFC7613]第3.3节中定义的“UsernameCasePreserved”配置文件中定义的所有字符,冒号(“:”)字符除外。
For the password, recipients MUST support all characters defined in the "OpaqueString" profile defined in Section 4.2 of [RFC7613].
对于密码,收件人必须支持[RFC7613]第4.2节中定义的“OpaqueString”配置文件中定义的所有字符。
Other values are reserved for future use.
其他值保留供将来使用。
Note: The 'charset' is only defined on challenges, as Basic authentication uses a single token for credentials ('token68' syntax); thus, the credentials syntax isn't extensible.
注意:“字符集”仅在挑战中定义,因为基本身份验证使用单个令牌作为凭据(“令牌68”语法);因此,凭据语法是不可扩展的。
Note: The name 'charset' has been chosen for consistency with Section 2.1.1 of [RFC2831]. A better name would have been 'accept-charset', as it is not about the message it appears in, but the server's expectation.
注:选择名称“字符集”是为了与[RFC2831]第2.1.1节保持一致。更好的名称应该是“accept charset”,因为它不是关于它出现在其中的消息,而是服务器的期望。
In the example below, the server prompts for authentication in the "foo" realm, using Basic authentication, with a preference for the UTF-8 character encoding scheme:
在下面的示例中,服务器使用基本身份验证提示在“foo”域中进行身份验证,并首选UTF-8字符编码方案:
WWW-Authenticate: Basic realm="foo", charset="UTF-8"
WWW-Authenticate: Basic realm="foo", charset="UTF-8"
Note that the parameter value can be either a token or a quoted string; in this case, the server chose to use the quoted-string notation.
请注意,参数值可以是标记或带引号的字符串;在本例中,服务器选择使用带引号的字符串表示法。
The user's name is "test", and the password is the string "123" followed by the Unicode character U+00A3 (POUND SIGN). Using the character encoding scheme UTF-8, the user-pass becomes:
用户名是“test”,密码是字符串“123”,后跟Unicode字符U+00A3(磅符号)。使用字符编码方案UTF-8,用户通行证变为:
't' 'e' 's' 't' ':' '1' '2' '3' pound 74 65 73 74 3A 31 32 33 C2 A3
“t”“e”“s”“t:”“1”“2”“3”磅74 65 73 74 3A 31 32 33 C2 A3
Encoding this octet sequence in Base64 ([RFC4648], Section 4) yields:
在Base64([RFC4648],第4节)中编码此八位组序列产生:
dGVzdDoxMjPCow==
dGVzdDoxMjPCow==
Thus, the Authorization header field would be:
因此,授权标头字段将是:
Authorization: Basic dGVzdDoxMjPCow==
Authorization: Basic dGVzdDoxMjPCow==
Or, for proxy authentication:
或者,对于代理身份验证:
Proxy-Authorization: Basic dGVzdDoxMjPCow==
Proxy-Authorization: Basic dGVzdDoxMjPCow==
Given the absolute URI ([RFC3986], Section 4.3) of an authenticated request, the authentication scope of that request is obtained by removing all characters after the last slash ("/") character of the path component ("hier_part"; see [RFC3986], Section 3). A client SHOULD assume that resources identified by URIs with a prefix-match of the authentication scope are also within the protection space specified by the realm value of that authenticated request.
给定经过身份验证的请求的绝对URI([RFC3986],第4.3节),该请求的身份验证范围是通过删除路径组件最后一个斜杠(“/”)字符后的所有字符来获得的(“hier_部分;请参见[RFC3986],第3节)。客户端应假定URI标识的资源(前缀与身份验证作用域匹配)也在该身份验证请求的领域值指定的保护空间内。
A client MAY preemptively send the corresponding Authorization header field with requests for resources in that space without receipt of another challenge from the server. Similarly, when a client sends a request to a proxy, it MAY reuse a user-id and password in the Proxy-Authorization header field without receiving another challenge from the proxy server.
客户端可以在不接收来自服务器的另一个质询的情况下,先发制人地发送相应的授权头字段以及对该空间中的资源的请求。类似地,当客户端向代理发送请求时,它可以重用代理授权标头字段中的用户id和密码,而无需从代理服务器接收另一个质询。
For example, given an authenticated request to:
例如,给定一个经过身份验证的请求:
http://example.com/docs/index.html
http://example.com/docs/index.html
requests to the URIs below could use the known credentials:
对以下URI的请求可以使用已知凭据:
http://example.com/docs/ http://example.com/docs/test.doc http://example.com/docs/?page=1
http://example.com/docs/ http://example.com/docs/test.doc http://example.com/docs/?page=1
while the URIs
而URI
http://example.com/other/ https://example.com/docs/
http://example.com/other/ https://example.com/docs/
would be considered to be outside the authentication scope.
将被视为不在身份验证范围内。
Note that a URI can be part of multiple authentication scopes (such as "http://example.com/" and "http://example.com/docs/"). This specification does not define which of these should be treated with higher priority.
请注意,URI可以是多个身份验证作用域的一部分(例如“http://example.com/“和”http://example.com/docs/"). 本规范未规定应以更高优先级处理其中的哪一项。
User-ids or passwords containing characters outside the US-ASCII character repertoire will cause interoperability issues, unless both communication partners agree on what character encoding scheme is to be used. Servers can use the new 'charset' parameter (Section 2.1) to indicate a preference of "UTF-8", increasing the probability that clients will switch to that encoding.
包含US-ASCII字符表以外字符的用户ID或密码将导致互操作性问题,除非通信合作伙伴双方就使用何种字符编码方案达成一致。服务器可以使用新的“字符集”参数(第2.1节)来指示“UTF-8”的首选项,从而增加客户端切换到该编码的可能性。
The 'realm' parameter carries data that can be considered textual; however, [RFC7235] does not define a way to reliably transport non-US-ASCII characters. This is a known issue that would need to be addressed in a revision to that specification.
“realm”参数包含可被视为文本的数据;但是,[RFC7235]未定义可靠传输非美国ASCII字符的方法。这是一个已知的问题,需要在该规范的修订版中解决。
The Basic authentication scheme is not a secure method of user authentication, nor does it in any way protect the entity, which is transmitted in cleartext across the physical network used as the carrier. HTTP does not prevent the addition of enhancements (such as schemes to use one-time passwords) to Basic authentication.
基本身份验证方案不是一种安全的用户身份验证方法,也不会以任何方式保护实体,该实体通过用作载体的物理网络以明文形式传输。HTTP不阻止向基本身份验证添加增强功能(例如使用一次性密码的方案)。
The most serious flaw of Basic authentication is that it results in the cleartext transmission of the user's password over the physical network. Many other authentication schemes address this problem.
基本身份验证最严重的缺陷是,它导致用户密码在物理网络上的明文传输。许多其他身份验证方案都解决了这个问题。
Because Basic authentication involves the cleartext transmission of passwords, it SHOULD NOT be used (without enhancements such as HTTPS [RFC2818]) to protect sensitive or valuable information.
由于基本身份验证涉及密码的明文传输,因此不应使用它(没有HTTPS[RFC2818]等增强功能)来保护敏感或有价值的信息。
A common use of Basic authentication is for identification purposes -- requiring the user to provide a user-id and password as a means of identification, for example, for purposes of gathering accurate usage statistics on a server. When used in this way it is tempting to think that there is no danger in its use if illicit access to the protected documents is not a major concern. This is only correct if the server issues both user-id and password to the users and, in particular, does not allow the user to choose his or her own password. The danger arises because naive users frequently reuse a single password to avoid the task of maintaining multiple passwords.
基本身份验证的一个常见用途是用于身份验证——要求用户提供用户id和密码作为身份验证的手段,例如,用于收集服务器上的准确使用统计数据。当以这种方式使用时,人们很容易认为,如果非法获取受保护的文件不是一个主要问题,那么使用它就没有危险。只有当服务器向用户发出用户id和密码,特别是不允许用户选择自己的密码时,这才是正确的。这种危险是因为天真的用户经常重复使用一个密码来避免维护多个密码的任务。
If a server permits users to select their own passwords, then the threat is not only unauthorized access to documents on the server but also unauthorized access to any other resources on other systems that the user protects with the same password. Furthermore, in the server's password database, many of the passwords may also be users' passwords for other sites. The owner or administrator of such a system could therefore expose all users of the system to the risk of
如果服务器允许用户选择自己的密码,那么威胁不仅是未经授权访问服务器上的文档,而且是未经授权访问用户使用相同密码保护的其他系统上的任何其他资源。此外,在服务器的密码数据库中,许多密码也可能是其他站点的用户密码。因此,此类系统的所有者或管理员可能会使系统的所有用户面临以下风险:
unauthorized access to all those other sites if this information is not maintained in a secure fashion. This raises both security and privacy concerns ([RFC6973]). If the same user-id and password combination is in use to access other accounts, such as an email or health portal account, personal information could be exposed.
未经授权访问所有其他网站(如果未以安全方式维护此信息)。这引起了安全和隐私问题([RFC6973])。如果使用相同的用户id和密码组合访问其他帐户,如电子邮件或健康门户帐户,则可能会暴露个人信息。
Basic authentication is also vulnerable to spoofing by counterfeit servers. If a user can be led to believe that she is connecting to a host containing information protected by Basic authentication when, in fact, she is connecting to a hostile server or gateway, then the attacker can request a password, store it for later use, and feign an error. Server implementers ought to guard against this sort of counterfeiting; in particular, software components that can take over control over the message framing on an existing connection need to be used carefully or not at all (for instance: NPH ("Non-Parsed Header") scripts as described in Section 5 of [RFC3875]).
基本身份验证也容易受到假冒服务器的欺骗。如果用户在连接到恶意服务器或网关时,能够被引导相信她正在连接到包含受基本身份验证保护的信息的主机,那么攻击者可以请求密码,将其存储以供以后使用,并假装出错。服务器实现者应该防止这种伪造行为;特别是,需要谨慎使用或完全不使用能够接管现有连接上消息帧控制的软件组件(例如,[RFC3875]第5节中所述的NPH(“非解析头”)脚本)。
Servers and proxies implementing Basic authentication need to store user passwords in some form in order to authenticate a request. These passwords ought to be stored in such a way that a leak of the password data doesn't make them trivially recoverable. This is especially important when users are allowed to set their own passwords, since users are known to choose weak passwords and to reuse them across authentication realms. While a full discussion of good password hashing techniques is beyond the scope of this document, server operators ought to make an effort to minimize risks to their users in the event of a password data leak. For example, servers ought to avoid storing user passwords in plaintext or as unsalted digests. For more discussion about modern password hashing techniques, see the "Password Hashing Competition" (<https://password-hashing.net>).
实现基本身份验证的服务器和代理需要以某种形式存储用户密码,以便对请求进行身份验证。这些密码应该以这样的方式存储:密码数据泄漏不会使它们容易恢复。当允许用户设置自己的密码时,这一点尤其重要,因为已知用户会选择弱密码,并跨身份验证领域重用它们。虽然对良好密码散列技术的全面讨论超出了本文档的范围,但服务器运营商应该努力将密码数据泄漏时给用户带来的风险降至最低。例如,服务器应该避免将用户密码存储为明文或非盐摘要。有关现代密码哈希技术的更多讨论,请参阅“密码哈希竞赛”(<https://password-hashing.net>).
The use of the UTF-8 character encoding scheme and of normalization introduces additional security considerations; see Section 10 of [RFC3629] and Section 6 of [RFC5198] for more information.
UTF-8字符编码方案和规范化的使用引入了额外的安全考虑;更多信息,请参见[RFC3629]第10节和[RFC5198]第6节。
IANA maintains the "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" ([RFC7235]) at <http://www.iana.org/assignments/ http-authschemes>.
IANA在以下位置维护“超文本传输协议(HTTP)认证方案注册表”([RFC7235])<http://www.iana.org/assignments/ http authschemes>。
The entry for the "Basic" authentication scheme has been updated to reference this specification.
“基本”身份验证方案的条目已更新,以引用此规范。
[RFC20] Cerf, V., "ASCII format for network interchange", STD 80, RFC 20, DOI 10.17487/RFC0020, October 1969, <http://www.rfc-editor.org/info/rfc20>.
[RFC20]Cerf,V.,“网络交换的ASCII格式”,STD 80,RFC 20,DOI 10.17487/RFC0020,1969年10月<http://www.rfc-editor.org/info/rfc20>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, October 2000, <http://www.rfc-editor.org/info/rfc2978>.
[RFC2978]Freed,N.和J.Postel,“IANA字符集注册程序”,BCP 19,RFC 2978,DOI 10.17487/RFC2978,2000年10月<http://www.rfc-editor.org/info/rfc2978>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,DOI 10.17487/RFC3629,2003年11月<http://www.rfc-editor.org/info/rfc3629>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>.
[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,DOI 10.17487/RFC3986,2005年1月<http://www.rfc-editor.org/info/rfc3986>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, <http://www.rfc-editor.org/info/rfc4648>.
[RFC4648]Josefsson,S.,“Base16、Base32和Base64数据编码”,RFC 4648,DOI 10.17487/RFC4648,2006年10月<http://www.rfc-editor.org/info/rfc4648>.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, <http://www.rfc-editor.org/info/rfc5198>.
[RFC5198]Klensin,J.和M.Padlipsky,“网络交换的Unicode格式”,RFC 5198,DOI 10.17487/RFC5198,2008年3月<http://www.rfc-editor.org/info/rfc5198>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, <http://www.rfc-editor.org/info/rfc5234>.
[RFC5234]Crocker,D.,Ed.和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,DOI 10.17487/RFC5234,2008年1月<http://www.rfc-editor.org/info/rfc5234>.
[RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in Internationalization in the IETF", BCP 166, RFC 6365, DOI 10.17487/RFC6365, September 2011, <http://www.rfc-editor.org/info/rfc6365>.
[RFC6365]Hoffman,P.和J.Klensin,“IETF国际化中使用的术语”,BCP 166,RFC 6365,DOI 10.17487/RFC6365,2011年9月<http://www.rfc-editor.org/info/rfc6365>.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Authentication", RFC 7235, DOI 10.17487/RFC7235, June 2014, <http://www.rfc-editor.org/info/rfc7235>.
[RFC7235]Fielding,R.,Ed.和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):认证”,RFC 7235,DOI 10.17487/RFC7235,2014年6月<http://www.rfc-editor.org/info/rfc7235>.
[RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords", RFC 7613, DOI 10.17487/RFC7613, August 2015, <http://www.rfc-editor.org/info/rfc7613>.
[RFC7613]Saint Andre,P.和A.Melnikov,“代表用户名和密码的国际化字符串的准备、实施和比较”,RFC 7613,DOI 10.17487/RFC7613,2015年8月<http://www.rfc-editor.org/info/rfc7613>.
[ISO-8859-1] International Organization for Standardization, "Information technology -- 8-bit single-byte coded graphic character sets -- Part 1: Latin alphabet No. 1", ISO/IEC 8859-1:1998, 1998.
[ISO-8859-1]国际标准化组织,“信息技术——8位单字节编码图形字符集——第1部分:拉丁字母表1”,ISO/IEC 8859-1:1998,1998。
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, DOI 10.17487/RFC2617, June 1999, <http://www.rfc-editor.org/info/rfc2617>.
[RFC2617]Franks,J.,Hallam Baker,P.,Hostetler,J.,Lawrence,S.,Leach,P.,Lootonen,A.,和L.Stewart,“HTTP认证:基本和摘要访问认证”,RFC 2617,DOI 10.17487/RFC2617,1999年6月<http://www.rfc-editor.org/info/rfc2617>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/RFC2818, May 2000, <http://www.rfc-editor.org/info/rfc2818>.
[RFC2818]Rescorla,E.,“TLS上的HTTP”,RFC 2818,DOI 10.17487/RFC2818,2000年5月<http://www.rfc-editor.org/info/rfc2818>.
[RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a SASL Mechanism", RFC 2831, DOI 10.17487/RFC2831, May 2000, <http://www.rfc-editor.org/info/rfc2831>.
[RFC2831]Leach,P.和C.Newman,“使用摘要认证作为SASL机制”,RFC 2831,DOI 10.17487/RFC2831,2000年5月<http://www.rfc-editor.org/info/rfc2831>.
[RFC3875] Robinson, D. and K. Coar, "The Common Gateway Interface (CGI) Version 1.1", RFC 3875, DOI 10.17487/RFC3875, October 2004, <http://www.rfc-editor.org/info/rfc3875>.
[RFC3875]Robinson,D.和K.Coar,“公共网关接口(CGI)1.1版”,RFC 3875,DOI 10.17487/RFC3875,2004年10月<http://www.rfc-editor.org/info/rfc3875>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, <http://www.rfc-editor.org/info/rfc6973>.
[RFC6973]Cooper,A.,Tschofenig,H.,Aboba,B.,Peterson,J.,Morris,J.,Hansen,M.,和R.Smith,“互联网协议的隐私考虑”,RFC 6973,DOI 10.17487/RFC6973,2013年7月<http://www.rfc-editor.org/info/rfc6973>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, <http://www.rfc-editor.org/info/rfc7231>.
[RFC7231]Fielding,R.,Ed.和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):语义和内容”,RFC 7231,DOI 10.17487/RFC72312014年6月<http://www.rfc-editor.org/info/rfc7231>.
[RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy-Authentication-Info Response Header Fields", RFC 7615, DOI 10.17487/RFC7615, September 2015, <http://www.rfc-editor.org/info/rfc7615>.
[RFC7615]Reschke,J.,“HTTP身份验证信息和代理身份验证信息响应头字段”,RFC 7615,DOI 10.17487/RFC7615,2015年9月<http://www.rfc-editor.org/info/rfc7615>.
[RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP Digest Access Authentication", RFC 7616, DOI 10.17487/RFC7616, September 2015, <http://www.rfc-editor.org/info/rfc7616>.
[RFC7616]Shekh Yusef,R.,Ed.,Ahrens,D.,和S.Bremer,“HTTP摘要访问认证”,RFC 7616,DOI 10.17487/RFC76162015年9月<http://www.rfc-editor.org/info/rfc7616>.
The scheme definition has been rewritten to be consistent with newer specifications such as [RFC7235].
方案定义已被重写,以符合较新的规范,如[RFC7235]。
The new authentication parameter 'charset' has been added. It is purely advisory, so existing implementations do not need to change, unless they want to take advantage of the additional information that previously wasn't available.
已添加新的身份验证参数“charset”。它纯粹是建议性的,所以现有的实现不需要更改,除非它们希望利用以前不可用的附加信息。
User agents not implementing 'charset' will continue to work as before, ignoring the new parameter.
未实现“charset”的用户代理将一如既往地工作,忽略新参数。
User agents that already default to the UTF-8 encoding implement 'charset' by definition.
已默认为UTF-8编码的用户代理根据定义实现“字符集”。
Other user agents can keep their default behavior and switch to UTF-8 when seeing the new parameter.
其他用户代理可以保留其默认行为,并在看到新参数时切换到UTF-8。
Servers that do not support non-US-ASCII characters in credentials do not require any changes to support 'charset'.
凭据中不支持非US ASCII字符的服务器不需要进行任何更改以支持“字符集”。
Servers that need to support non-US-ASCII characters, but cannot use the UTF-8 character encoding scheme will not be affected; they will continue to function as well or as badly as before.
需要支持非美国ASCII字符但不能使用UTF-8字符编码方案的服务器将不受影响;它们将继续发挥与以前一样好或一样坏的作用。
Finally, servers that need to support non-US-ASCII characters and can use the UTF-8 character encoding scheme can opt in by specifying the 'charset' parameter in the authentication challenge. Clients that do understand the 'charset' parameter will then start to use UTF-8, while other clients will continue to send credentials in their default encoding, broken credentials, or no credentials at all. Until all clients are upgraded to support UTF-8, servers are likely to see both UTF-8 and "legacy" encodings in requests. When processing as UTF-8 fails (due to a failure to decode as UTF-8 or a mismatch of user-id/password), a server might try a fallback to the previously supported legacy encoding in order to accommodate these legacy clients. Note that implicit retries need to be done carefully; for instance, some subsystems might detect repeated login failures and treat them as a potential credentials-guessing attack.
最后,需要支持非美国ASCII字符并且可以使用UTF-8字符编码方案的服务器可以通过在身份验证质询中指定“charset”参数来选择加入。理解“charset”参数的客户端随后将开始使用UTF-8,而其他客户端将继续以其默认编码、损坏的凭据或根本没有凭据发送凭据。在所有客户端升级到支持UTF-8之前,服务器可能会在请求中同时看到UTF-8和“传统”编码。当处理为UTF-8失败时(由于未能解码为UTF-8或用户id/密码不匹配),服务器可能会尝试回退到以前支持的传统编码,以适应这些传统客户端。请注意,隐式重试需要仔细执行;例如,一些子系统可能检测到重复登录失败,并将其视为潜在的凭据猜测攻击。
There are sites in use today that default to a local character encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user agents to use that encoding. Authentication on these sites will stop working if the user agent switches to a different encoding, such as UTF-8.
目前使用的一些站点默认使用本地字符编码方案,如ISO-8859-1([ISO-8859-1]),并期望用户代理使用该编码。如果用户代理切换到其他编码(如UTF-8),这些站点上的身份验证将停止工作。
Note that sites might even inspect the User-Agent header field ([RFC7231], Section 5.5.3) to decide which character encoding scheme to expect from the client. Therefore, they might support UTF-8 for some user agents, but default to something else for others. User agents in the latter group will have to continue to do what they do today until the majority of these servers have been upgraded to always use UTF-8.
请注意,站点甚至可能检查用户代理头字段([RFC7231],第5.5.3节),以确定希望从客户端获得的字符编码方案。因此,对于某些用户代理,它们可能支持UTF-8,但对于其他用户代理,则默认为其他类型。后一组中的用户代理将不得不继续做他们今天所做的事情,直到这些服务器中的大多数都升级为始终使用UTF-8。
Acknowledgements
致谢
This specification takes over the definition of the "Basic" HTTP Authentication Scheme, previously defined in RFC 2617. We thank John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work on that specification, from which significant amounts of text were borrowed. See Section 6 of [RFC2617] for further acknowledgements.
本规范接管了先前在RFC2617中定义的“基本”HTTP身份验证方案的定义。我们感谢John Franks、Phillip M.Hallam Baker、Jeffery L.Hostetler、Scott D.Lawrence、Paul J.Leach、Ari Luotonen和Lawrence C.Stewart在该规范方面的工作,从中借用了大量文本。有关进一步确认,请参见[RFC2617]第6节。
The internationalization problem with respect to the character encoding scheme used for user-pass was reported as a Mozilla bug back in the year 2000 (see <https://bugzilla.mozilla.org/show_bug.cgi?id=41489> and also the more recent <https://bugzilla.mozilla.org/show_bug.cgi?id=656213>). It was Andrew Clover's idea to address it using a new auth-param.
关于用户通行证使用的字符编码方案的国际化问题早在2000年就被报告为Mozilla错误(参见<https://bugzilla.mozilla.org/show_bug.cgi?id=41489>而且是最近的<https://bugzilla.mozilla.org/show_bug.cgi?id=656213>). 安德鲁·克洛弗的想法是使用一个新的auth参数来解决这个问题。
We also thank the members of the HTTPAUTH Working Group and other reviewers, namely, Stephen Farrell, Roy Fielding, Daniel Kahn Gillmor, Tony Hansen, Bjoern Hoehrmann, Kari Hurtta, Amos Jeffries, Benjamin Kaduk, Michael Koeller, Eric Lawrence, Barry Leiba, James Manger, Alexey Melnikov, Kathleen Moriarty, Juergen Schoenwaelder, Yaron Sheffer, Meral Shirazipour, Michael Sweet, and Martin Thomson for feedback on this revision.
我们还感谢HTTPAUTH工作组成员和其他审稿人,即斯蒂芬·法雷尔、罗伊·菲尔丁、丹尼尔·卡恩·吉尔莫、托尼·汉森、比约恩·霍尔曼、卡里·赫塔、阿莫斯·杰弗里斯、本杰明·卡杜克、迈克尔·科勒、埃里克·劳伦斯、巴里·莱巴、詹姆斯·曼格、阿列克谢·梅尔尼科夫、凯瑟琳·莫里亚蒂、杰尔根·舍恩瓦尔德、雅伦·谢弗、,Meral Shirazipour、Michael Sweet和Martin Thomson就本修订版征求反馈意见。
Author's Address
作者地址
Julian F. Reschke greenbytes GmbH Hafenweg 16 Muenster, NW 48155 Germany
Julian F.Reschke greenbytes GmbH Hafenweg 16 Muenster,西北48155德国
Email: julian.reschke@greenbytes.de URI: http://greenbytes.de/tech/webdav/
Email: julian.reschke@greenbytes.de URI: http://greenbytes.de/tech/webdav/