Digest authentication is a method of authentication in which a request from a potential user is received >by a network server and then sent to a domain controller. The domain controller sends a special key, >called a digest session key, to the server that received the original request. The user must then produce >a response, which is encrypted and transmitted to the server. If the user's response is of the correct >form, the server grants the user access to the network, Web site or requested resources for a single >session.
In its simplest form, digest authentication is an enhanced method of single-factor authentication (SFA). >The drawback of SFA is the fact that the single factor (the password or user response) is relatively easy >for an experienced hacker to discover and exploit. Superior security can be obtained by the use of a >two-factor authentication scheme, in which a physical token such as smart card is employed in addition >to the password or keyboard-generated response to verify the identity of a potential user. Even better >security may be provided by digest authentication in conjunction with multifactor authentication, in >which three or more independent parameters are used. Such parameters may include biometric >verification, fingerscanning or a voiceprint.
In a scenario where a user does an interactive logon to a client machine and connects to a server, the connection is authenticated. The client and the server engage in an authentication protocol, such as NTLM (as specified in [MS-NLMP]), which validates the user credentials and logs the user on to the server upon successful validation. This type of logon is known as network logon because it happens over a network connection from the client to the server.
To authenticate the user, the server passes the user credentials securely to a domain controller (DC) in the domain of the user account. (The DC is the only entity, other than the client machine, that knows the user secret key; that is, the user password.) After the logon request is delivered to the DC and the DC successfully validates the credentials, the DC refers back to the server those attributes of the user account that the server can use in authorization decisions (such as granting the user access to a particular file).
It is the responsibility of the Netlogon Remote Protocol to deliver the logon request to the DC over a secure channel that is established from the server (acting as the secure channel client) to the DC (acting as the secure channel server). The secure channel is achieved by encrypting the communication traffic with a session key computed using a secret key (called a server's machine account password) shared by the server and the DC.
Upon successful validation of the user credentials on the DC, the Netlogon Remote Protocol delivers the user authorization attributes (referred to as user validation information) back to the server over the secure channel.
This mechanism of delegating the authentication request to a DC is called pass-through authentication, a process in which the server passes the logon request through to the DC. The following illustration depicts a process of pass-through authentication in which the authentication request is passed over a secure channel from a server in Domain A to a DC in the domain containing the user account, in this case also Domain A.
The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750. Even if this scheme comes from an OAuth2 specification, you can still use it in any other context where tokens are exchange between a client and a server.
Bearer 身份验证专用于使用 token,详细描述可见于 RFC6750。 即使它的原型出自 OAuth2 的规范,依然可以用于任何客户端与服务器交换 token 的场合。
Concerning the JWT authentication and as it is a token, the best choice is the Bearer authentication scheme. Nevertheless, nothing prevent you from using a custom scheme that could fit on your requirements.
关于 JWT 认证,由于它也是基于 token,所以 bearer 身份验证模型同样适用。 当然,如果你有自定义的身份验证方式也尽可以使用,只要满足需求就可以。
基本身份验证
维基百科
基本身份验证是 http 协议支持的一种身份验证方式,客户端发送一个 http header: Authorization, 内容是 "Basic ${token}" 。 例子如下:
token 是经过 base64 编码的用户名和密码,计算方式是 base64Encode(username:password)。请注意,base64 字符串解码非常容易,所以基本认证必须搭配其他安全机制例如 HTTPS/SSL, 来保证用户密码的安全传输。
摘要身份验证
维基百科 原文https://searchsecurity.techtarget.com/definition/digest-authentication
服务器将用户的请求转发给域控制器。域控制器生成一个特殊的秘钥,称为摘要式会话秘钥,返回给原服务器。然后,用户将加密的响应发送给服务器,如果响应的格式是正确的,服务器会授权用户访问权限,用于访问网站或者其他资源。
最简单的形式是,摘要式身份验证是一种增强的单因素身份验证(SFA)方法。 SFA的缺点是单个因素(密码或用户响应)相对较容易被有经验的黑客发现和利用。 通过使用双因素认证方案可以获得更高的安全性,其中除了密码或键盘生成的响应之外还使用诸如智能卡之类的物理令牌来验证潜在用户的身份。 更好的安全性可以通过摘要认证与多因素认证一起提供,其中使用三个或更多个独立参数。 这些参数可以包括生物识别验证,手指扫描或声纹。
Pass-Through Authentication
原文https://msdn.microsoft.com/en-us/library/cc237015.aspx
在用户对客户端计算机进行交互式登录并连接到服务器的情况下,将对连接进行身份验证。客户端和服务器参与身份验证协议,例如NTLM(在[MS-NLMP]中指定),该协议验证用户凭据并在成功验证后将用户登录到服务器。这种类型的登录称为网络登录,因为它通过从客户端到服务器的网络连接发生。
为了对用户进行身份验证,服务器将用户凭据安全地传递给用户帐户域中的域控制器(DC)。 (DC是除了客户端计算机之外唯一知道用户密钥的实体;也就是用户密码。)在将登录请求传递到DC并且DC成功验证凭证之后,DC返回向服务器提供服务器可以在授权决策中使用的用户帐户的那些属性(例如授予用户对特定文件的访问权限)。
Netlogon远程协议负责通过安全通道向DC提供登录请求,该通道从服务器(充当安全通道客户端)到DC(充当安全通道服务器)建立。通过使用由服务器和DC共享的秘密密钥(称为服务器的机器帐户密码)计算的会话密钥来加密通信流量来实现安全信道。
在DC上成功验证用户凭证后,Netlogon远程协议通过安全通道将用户授权属性(称为用户验证信息)传递回服务器。
这种将身份验证请求委派给DC的机制称为传递身份验证,即服务器将登录请求传递给DC的过程。下图描绘了传递身份验证的过程,其中身份验证请求通过安全通道从域A中的服务器传递到包含用户帐户的域中的DC,在本例中也是域A
Basic 和 Bearer
基本和摘要身份验证模型专用于使用用户名和密码的验证(详见 see RFC7616 和 RFC7617)。