【ASP.NET Web API2】Digest认证

Digest摘要认证

对于Basic认证方案来说，被传输的认证凭证仅仅采用Base64编码，所以包含密码的认证凭证基本上可以视为明文传输。Digest认证在此基础上进行了改善，在一定程度上提高了安全系数。

在了解Digest认证的工作原理之前，我们看看通过浏览器调用一个Digest认证的Web API会涉及怎样的消息交换

采用浏览器作为Web API调用的客户端，与Basic认证方式一样，浏览器会针对Web API 的第一次调用  会自动弹出登陆对话框

正确输入账号密码(Web API 配置文件中定义)后，输出结果会呈现在浏览器中。利用Fiddler我们会发现整个调用涉及两次消息交换

GET http://localhost:4003/api/values HTTP/1.1
Host: localhost:4003
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Digest username="", realm="UZ.COM", nonce="1b4d156b1af16f4ea72a040396d27f86", uri="/api/values", response="07e5a5012586dbffbad8040a923fb11a", qop=auth, nc=00000001, cnonce="4aee7270082bcd10"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
WWW-Authenticate: Digest realm="UZ.COM",nonce="4c4c15480802fe3bccb45605f1f4126d",qop="auth"
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RTpcVGVzdFxEaWdlc3REZW1vXERpZ2VzdERlbW9cYXBpXHZhbHVlcw==?=
X-Powered-By: ASP.NET
Date: Fri, 12 Jun 2015 08:16:02 GMT
Content-Length: 81

<Error><Message>Authorization has been denied for this request.</Message></Error>

　　

GET http://localhost:4003/api/values HTTP/1.1
Host: localhost:4003
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Digest username="loding", realm="UZ.COM", nonce="4c4c15480802fe3bccb45605f1f4126d", uri="/api/values", response="9495b8ef2b5b1d6dd3001753293cca57", qop=auth, nc=00000001, cnonce="2dfe2e5c0b8a4000"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RTpcVGVzdFxEaWdlc3REZW1vXERpZ2VzdERlbW9cYXBpXHZhbHVlcw==?=
X-Powered-By: ASP.NET
Date: Fri, 12 Jun 2015 08:17:21 GMT
Content-Length: 195

<ArrayOfstring xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><string>value1</string><string>value2</string></ArrayOfstring>

　　

验证流程:

1,客户端以匿名的方式发送一个请求

2,服务器返回状态为"401 Unauthorized"，这个响应含有"WWW-Authenticate"报头

• Digest:表示当前的认证方式。
• realm:领域
• nonce:服务器生成的具有唯一性的字符串
• qop(Quanlity of Protection):IIS采用qop通知客户端采用的消息保护等级。可选的qop包括"auth"和"auth-int"。

前者表示仅限于基本的认证，后者则表示除了对客户端实施认证外，还需要确保传输内容的一致性。

3,客户端接收到返回的401状态后，会自动弹出一个登陆对话框

4,得到用户输入的用户名和密码，浏览器根据密码和服务端生成的nonce采用一种算法生成一个Digest，这个Digest会作为认证凭证放            到"Authorization"报头response中，随后向服务器发送请求

其他信息：

• username:代表客户端用户名
• nonce：就是服务器生成返回的那个nonce
• cnonce:这是客户端自行生成的nonce，它可以对请求内容进行签名以确保内容没有被篡改，同时也可以帮助客户端对服务器实施认证
• nc(nonce count):表示客户端针对同一个nonce发送请求的数量，随着请求的发送而不断递增。

IIS可以通过nc代表的数字来防止“重发攻击”。

5,服务器接收到请求后进行nc合法性验证等，然后确定客户端提供密码的正确性，完成对客户端的认证

Digest认证实现(源码下载)

https://coding.net/u/Allen_/p/ASP.NET-Web-API-2---Digest/git

验证实现的核心方法:

public class AuthenticationHandler : DelegatingHandler
    {
        protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            try
            {
                HttpRequestHeaders headers = request.Headers;
                if (headers.Authorization != null)
                {
                    Header header = new Header(request.Headers.Authorization.Parameter, request.Method.Method);

                    if (Nonce.IsValid(header.Nonce, header.NounceCounter))
                    {
                        string uzkey = ConfigurationManager.AppSettings["UZKey"];
                        string uzsecret = ConfigurationManager.AppSettings["UZSecret"];

                        string ha1 = HashHelper.GetMD5(String.Format("{0}:{1}:{2}", uzkey, header.Realm, uzsecret));

                        string ha2 = HashHelper.GetMD5(String.Format("{0}:{1}", header.Method, header.Uri));

                        string computedResponse = HashHelper.GetMD5(String.Format("{0}:{1}:{2}:{3}:{4}:{5}",
                                            ha1, header.Nonce, header.NounceCounter, header.Cnonce, "auth", ha2));

                        if (String.CompareOrdinal(header.Response, computedResponse) == 0)
                        {
                            // digest computed matches the value sent by client in the response field.
                            // Looks like an authentic client! Create a principal.
                            var claims = new List<Claim>
                        {
                                        new Claim(ClaimTypes.Name, header.UserName),
                                        new Claim(ClaimTypes.AuthenticationMethod,AuthenticationMethods.Password)
                        };

                            ClaimsPrincipal principal = new ClaimsPrincipal(new[] { new ClaimsIdentity(claims, "Digest") });

                            Thread.CurrentPrincipal = principal;

                            if (HttpContext.Current != null)
                                HttpContext.Current.User = principal;
                        }
                    }
                }

                HttpResponseMessage response = await base.SendAsync(request, cancellationToken);

                if (response.StatusCode == HttpStatusCode.Unauthorized)
                {
                    response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Digest", Header.UnauthorizedResponseHeader.ToString()));
                }

                return response;
            }
            catch (Exception)
            {
                var response = request.CreateResponse(HttpStatusCode.Unauthorized);
                response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Digest", Header.UnauthorizedResponseHeader.ToString()));

                return response;
            }
        }
    }

使用Digest认证还需要在全局配置文件中注册并在Controller中加[Authorize]属性标签

使用WebClient调用Web API

private  static string Request(string sUrl, string sMethod, string sEntity, string sContentType,
  out string sMessage)
        {
            try
            {
                sMessage = "";
                using (System.Net.WebClient client = new System.Net.WebClient())
                {
                    client.Credentials = CreateAuthenticateValue(sUrl);
                    Uri url = new Uri(sUrl);
                    byte[] bytes = Encoding.UTF8.GetBytes(sEntity);
                    byte[] buffer;
                    switch (sMethod.ToUpper())
                    {
                        case "GET":
                            buffer = client.DownloadData(url);
                            break;
                        case "POST":
                            buffer = client.UploadData(url, "POST", bytes);
                            break;
                        default:
                            buffer = client.UploadData(url, "POST", bytes);
                            break;
                    }

                    return Encoding.UTF8.GetString(buffer);
                }
            }
            catch (WebException ex)
            {
                sMessage = ex.Message;
                var rsp = ex.Response as HttpWebResponse;
                var httpStatusCode = rsp.StatusCode;
                var authenticate = rsp.Headers.Get("WWW-Authenticate");

                return "";
            }
            catch (Exception ex)
            {
                sMessage = ex.Message;
                return "";
            }
        }

private static CredentialCache CreateAuthenticateValue(string sUrl)
{
    CredentialCache credentialCache = new CredentialCache();
    credentialCache.Add(new Uri(sUrl), "Digest", new NetworkCredential("用户名", "密码"));  

    return credentialCache;
}