Download HTTP in Electronic Commerce: Authentication, Sessions, and Security and more Slides Fundamentals of E-Commerce in PDF only on Docsity! 3-21Electronic Commerce (WS-02/03) HTTP/1.1 (2) Further improvements: + Virtual hosts supported via new header field HOST: Several servers can be made available through a single TCP address (IP-address:port combination). See chapter 3.6). Host: eurift.sts.tu-harburg.de:80 Host: wips.sts.tu-harburg.de:80 + New request methods PUT, DELETE, TRACE, OPTIONS + Partial transmissions of resource entities (documents) + Content Negotiation (negotiation of visualization, language, quality, encoding) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: de Accept-Charset: iso-8859-1,*,utf-8 + Improved Authentication Identical IP address (134.28.70.3) and port distinguished by HOST field Docsity.com 3-22Electronic Commerce (WS-02/03) HTTP Extensions o Session Management: Adding session management to the stateless HTTP request/response protocol o User identification and authentication o Security: Adding layers for securing HTTP: S/HTTP, HTTPS, IPSEC o Refresh / Redirect: Trigger actions at the client browser o more... Docsity.com 3-25Electronic Commerce (WS-02/03) HTTP Authentication (1) Basic Authentication (since HTTP/1.0): o Identification and password are transmitted as plain text. THIS IS INSECURE! Digest Access Authentication (since HTTP/1.1): o Client encrypts identification and password using a one-way function and sends this digest to the server. Server performs same computation and compares results. Docsity.com 3-26Electronic Commerce (WS-02/03) HTTP Authentication (2) Drawbacks: o Does not fit into page design o Cannot be visualized following the companyās corporate design o Language cannot be selected Docsity.com 3-27Electronic Commerce (WS-02/03) HTTP Authentication (3) Security problem not yet solved: o Replay attack: āMan in the middle-attackā: Attacker copies authentication message and replays it to the server, this will authenticate him. Possible solution: Authentication message is only valid one time. For this, encrypt the following items (and combinations thereof) into the client request: o Server-generated nonce (nonce = ānumber, generated onceā) o Client IP-address o Timestamp o Identification o Password o Request method o Requested URI o ... Docsity.com