Pages: [1] 2   Go Down
Author Topic: Password protect for arduino webserver?  (Read 12004 times)
0 Members and 2 Guests are viewing this topic.
Offline Offline
Newbie
*
Karma: 0
Posts: 20
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I would like that when i connect to my webserver i have
To enter a password before i can see the server.

Are There  any examples on how to do that?
Logged

Seattle, WA
Offline Offline
Newbie
*
Karma: 0
Posts: 36
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I think the easiest way might be to have your client send in a cookie that contains the username/password info and to have your web server refuse to respond unless the cookie clears verification ("session-based" auth). Principal-based authentication is not defined in the HTTP protocol (as far as I know), and usually such authentication is done through web pages. So short of using HTTP headers and cookies you will most likely have to extend the protocol to support these semantics yourself.

Just my 2 cents' worth of course.
Logged

Sydney, Australia
Offline Offline
Full Member
***
Karma: 3
Posts: 230
Arduino rocks
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

You could do something cheap like using the password text as the page to redirect to... eg collect the password, append ".html" to it and try to redirect to it... eg user enters "fred", which is correct so you have a fred.html and your authentication page redirects to fred.html - otherwise the user will redirect to an unknown page and get a 404... depending on your requirements this might be enough... YMMV..

That's prolly only 1c worth.. ;-)


Cheers,
Logged

Is life really that serious...??!

Sussex UK / CT USA
Offline Offline
Edison Member
*
Karma: 0
Posts: 1028
Forums forever
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

A question to those who know more than I do...

Not "rigorous", but suppose I had a little web server, and wanted only me to be able to make it do it's thing.

Suppose the webserver's URL was "MyWS.com"

It would be easy (well, relatively!) to program it to respond only to, say...

MyWS.com?pw=MyPassword123

What avenues would be available to Bad Guys who wanted to find out how to get the web server to do whatever it is programmed to do when accessed with the extra bit?
Logged

Sydney, Australia
Offline Offline
Full Member
***
Karma: 3
Posts: 230
Arduino rocks
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

"Bad Guys" typically exploit known bugs in particular server software (eg ISS) to get in. Because you're building a custom server it's going to be harder off the bat for them to exploit known bugs because they'll be working blind. You'd need to make sure your code handles buffer overruns (ie really parameters etc) as they are a nice avenue to exploit.

Also a lot of the "Bad Guys" are just script-kiddies following how-to's - and if the results deviate from what they expect they'll move on to an easier target.


Cheers,
Logged

Is life really that serious...??!

0
Offline Offline
Newbie
*
Karma: 0
Posts: 24
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Here is the example
Logged

Global Moderator
Netherlands
Offline Offline
Shannon Member
*****
Karma: 168
Posts: 12425
In theory there is no difference between theory and practice, however in practice there are many...
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

"Bad guys" might also do a man in the middle attack and intercept the unencrypted password string smiley-sad
Logged

Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

0
Offline Offline
Newbie
*
Karma: 0
Posts: 24
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

It's true. Bad guys can do many things. Arudino is too poor to handle asymmetric crypto, but some sort of response-challenge algorithm could fit smiley
« Last Edit: August 18, 2011, 05:00:38 am by arian » Logged

Global Moderator
Netherlands
Offline Offline
Shannon Member
*****
Karma: 168
Posts: 12425
In theory there is no difference between theory and practice, however in practice there are many...
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
but some sort of response-challenge algorithm could fit
Definitely smiley
Logged

Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

0
Offline Offline
Tesla Member
***
Karma: 114
Posts: 8899
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

One of the best ways to generally keep the bad guys away is to not publically post links to your server. If your server handles something sensitive, you probably need to go with a pc server with built in security features. What level of security do you need?
Logged

Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.   smiley-cool

São Paulo/SP/Brazil
Offline Offline
Sr. Member
****
Karma: 2
Posts: 305
Brazilian Arduino Team
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

It's not difficult to implement "Basic Access Authentication".

From wikipedia:
Client request (no authentication):
Code:
GET /private/index.html HTTP/1.1
Host: localhost
(followed by a new line, in the form of a carriage return followed by a line feed).

Server response:
Code:
HTTP/1.1 401 Authorization Required
Server: HTTPd/1.0
Date: Sat, 27 Nov 2004 10:18:15 GMT
WWW-Authenticate: Basic realm="Secure Area"
Content-Type: text/html
Content-Length: 311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
  <HEAD>
    <TITLE>Error</TITLE>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
  </HEAD>
  <BODY><H1>401 Unauthorized.</H1></BODY>
</HTML>

Client request (user name "Aladdin", password "open sesame"):
Code:
GET /private/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

You will need the https://github.com/adamvr/arduino-base64 library and to hack http://arduino.cc/en/Tutorial/WebServer to answer HTTP response 401, and wait for authentication data.

Yes, it's not secure(base64 is easily encoded, decoded). A more secure way to do this is using "Digest Access Authentication" and you'll need a MD5 hash library. Need more hacks also but could be done on arduino.
Logged

0
Offline Offline
Newbie
*
Karma: 0
Posts: 24
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset


Sure, but it will not protect you against man in the middle attack. Simple form will do the same thing smiley
« Last Edit: August 18, 2011, 03:52:57 pm by arian » Logged

Offline Offline
Newbie
*
Karma: 0
Posts: 20
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.

I still have no idea how to implement the basic authenticiation in a sketch.
Logged

São Paulo/SP/Brazil
Offline Offline
Sr. Member
****
Karma: 2
Posts: 305
Brazilian Arduino Team
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

I'll try to implement this next week. I keep you informed!
Logged

Offline Offline
Newbie
*
Karma: 0
Posts: 20
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

cool smiley
Logged

Pages: [1] 2   Go Up
Jump to: