a Secarta project ...

HTTPsec Authentication Protocol

[ View as one printable page ]

Preamble

1. Introduction
1.1. Editorial Conventions
1.2. Terms
1.3. Identifiers
2. Summary
2.1. Authentication Model
2.2. Peer Identifiers
2.3. Protocol Operation
2.3.1. Initialization
2.3.2. Continuation
3. Protocol Messages
3.1. Initialization Messages
3.1.1. Initialization Request
3.1.2. Initialization Response
3.2. Continuation Messages
3.2.1. Continuation Request
3.2.2. Continuation Response
3.3. Challenge Messages
3.3.1. Challenge Response
3.4. Message Flow
4. Protocol Directives
4.1. id
4.2. dh
4.3. certificate
4.4. url
4.5. group
4.6. nonce
4.7. auth
4.8. token
4.9. signature
4.10. count
4.11. mac
4.12. digest
5. Other Headers
5.1. Content-Encoding
5.2. Cache-Control
5.3. Expires
6. Protocol Computations
6.1. Algorithms
6.1.1. Hash Algorithm
6.1.2. Public Key Algorithm
6.1.3. Encryption Scheme
6.1.4. Signature Scheme
6.1.5. Block Cipher
6.1.6. Block Cipher Mode
6.2. Header Canonicalization
6.3. Initialization Transcript
6.4. Continuation Request Transcript
6.5. Continuation Response Transcript
6.6. Shared Secret
6.7. Keys
6.7.1. MAC Keys
6.7.2. Cipher Keys
6.8. Message Body Ciphering
7. Message Validation
7.1. Initialization Request Validation
7.2. Initialization Response Validation
7.3. Continuation Request Validation
7.4. Continuation Response Validation
8. Cache Considerations
9. Security Considerations
10. References
11. Editor Address

3.1.1. Initialization Request

The Authorization header [HTTP][ 14.8] in protocol initialization requests has the following form:

"Authorization: httpsec/1.0 initialize, "
 1#(  id
   |  dh
   | [certificate] 
   |  url
   |  group
   |  nonce )
   
id          = "id=" <URI>
dh          = "dh=" base64
certificate = "certificate=" <URI>
url         = "url=" <URI>
group       = "group=" <string-no-whitespace>
nonce       = "nonce=" base64

Example message:

HEAD http://alice.example.com/foobar.txt HTTP/1.1
Authorization: httpsec/1.0 initialize
    id=bob.example.com
    dh=clW9y2X5Vy+5+Ncv5lAI3W9y2X5Vgfe4y+5+Ncv5l...
    certificate=http://bob.example.com/my-cert
    url=http://alice.example.com/foobar.txt
    group=rfc3526#14
    nonce=7iqgkzgfdIe0HN35r6met2579yxetyerty7MZW...

(For legibility, the example's protocol header is extended over multiple lines, as per [HTTP][4.2]. Additionally, the values of some directives are lengthy and have therefore been abbreviated; their terminating ellipsis "..." would NOT appear in the actual value.)

An initialization request has a HEAD method [HTTP][ Section 9.4], unless it carries a certificate payload in the message entity-body (see certificate section) in which case it has a POST method [HTTP][ Section 9.5].

Its Request-URI [HTTP][ Section 5.1.2] is typically be that of a protected resource hosted by the responder and ultimately desired by the requester, but this is not normative.
© Secarta. All rights reserved.