Ȩ > Ç¥ÁØÈ °³¿ä > TTAÀÇ Ç¥ÁØÇöȲ
Ç¥ÁعøÈ£ | TTAE.IF-RFC8210 | ±¸Ç¥ÁعøÈ£ | |
---|---|---|---|
Á¦°³Á¤ÀÏ | 2018-12-19 | ÃÑÆäÀÌÁö | 49 |
ÇѱÛÇ¥Áظí | HTTP¸¦ À§ÇÑ »óÈ£ ÀÎÁõ ÇÁ·ÎÅäÄÝ | ||
¿µ¹®Ç¥Áظí | Mutual Authentication Protocol for HTTP | ||
Çѱ۳»¿ë¿ä¾à | º» Ç¥ÁØ¿¡¼ Á¦¾ÈÇÏ´Â »óÈ£ ÀÎÁõ ÇÁ·ÎÅäÄÝÀº ¾ÏÈ£ ÀÎÁõÀ» À§ÇÑ °·ÂÇÑ ¾ÏÈ£È ¼Ö·ç¼ÇÀ¸·Î, ¾Æ·¡ µÎ °¡Áö ÁÖ¿ä ±â´ÉÀ» Á¦°øÇÑ´Ù.
o ¾ÏÈ£ Á¤º¸°¡ ÀüÇô ±³È¯µÇÁö ¾Ê´Â´Ù. ¼¹ö¿Í »ç¿ëÀÚ°¡ ¼·Î ÀÎÁõÇÏÁö ¸øÇϸé, ÇÁ·ÎÅäÄÝÀº »ç¿ëÀÚÀÇ ¾ÏÈ£¿¡ ´ëÇÑ °¡Àå ÀÛÀº Á¤º¸µµ Ç¥½ÃÇÏÁö ¾Ê´Â´Ù. À̸¦ ÅëÇØ, ÇÇ½Ì °ø°ÝÀÌ ¹ß»ýÇÏ´õ¶óµµ ¸ðµç Á¾·ùÀÇ ¿ÀÇÁ¶óÀÎ ¾ÏÈ£ »çÀü °ø°ÝÀ» ¹æÁöÇÒ ¼ö ÀÖ´Ù. o ¼º°øÀûÀ¸·Î ÀÎÁõÇϱâ À§Çؼ, Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö°¡ À¯È¿ÇÑ µî·ÏµÈ ÀÚ°Ý Áõ¸í (ÀÎÁõ ºñ¹Ð)À» ¼ÒÀ¯ÇØ¾ß ÇÑ´Ù. ÀÌ´Â ÇÇ½Ì °ø°ÝÀÚ°¡ »ç¿ëÀÚ¸¦ ¼Ó¿©¼ "ÁøÂ¥" ¼¹ö¶ó°í »ý°¢Çϵµ·Ï ¼ÓÀÏ ¼ö ¾øÀ½À» ÀǹÌÇÑ´Ù. (Basic ¶Ç´Â Digest ÀÎÁõÀ» »ç¿ëÇÏ´Â ¼¹ö´Â ½ÇÁ¦·Î ÀÎÁõÀ» È®ÀÎÇÏÁö ¾Ê°í ¸ðµç Ŭ¶óÀ̾ðÆ®¿¡°Ô "¿¹"·Î ÀÀ´äÇÒ ¼ö ÀÖ´Ù) Ŭ¶óÀ̾ðÆ®´Â Åë½Å ÁßÀÎ ´ë»óÀÌ Á¤¸» ÀÚ½ÅÀÇ °èÁ¤À» µî·ÏÇÑ "¼¹ö"ÀÓÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. Áï, ¼¹ö¿Í Ŭ¶óÀ̾ðÆ® °£¿¡ »óÈ£ ÀÎÁõÀ» Á¦°øÇÑ´Ù. |
||
¿µ¹®³»¿ë¿ä¾à | The Mutual authentication protocol, as proposed in the standard, is a strong cryptographic solution for password authentications. It mainly provides the following two key features.
o No password information at all is exchanged in the communications. When the server and user fail to authenticate with each other, the protocol will not reveal even the tiniest bit of information about the user's password. This prevents any kind of offline password dictionary attacks, even with the existence of phishing attacks. o To successfully authenticate, the server, as well as client users, must own the valid registered credentials (authentication secret). This means that a phishing attacker cannot trick users into thinking that it is an "authentic" server. (It should be pointed out that this is not true for Basic and Digest authentication; for example, servers using Basic authentication can answer "YES" to any clients without actually checking authentication at all.) Client users can ascertain whether or not the communicating peer is truly "the server" that registered their account beforehand. In other words, it provides "true" mutual authentication between servers and clients. |
||
±¹Á¦Ç¥ÁØ | |||
°ü·ÃÆÄÀÏ | TTAE.IF-RFC8210.pdf |
- ÀÌÀü
- ¿î¿ëÀÚ ÀÌ´õ³Ý ¼ºñ½º Á¤ÀÇ
- ´ÙÀ½
- ½Å¿ø°ü¸® ¿ë¾î Á¤ÀÇ