Authentication, Authentication versus encryption, Md5 authentication (web interface) – APC AP9211 User Manual
Page 44: Security
MasterSwitch Power Distribution Unit User’s Guide
40
Authentication
Authentication
versus encryption
The MasterSwitch
PDU
controls access by providing basic
authentication through user names, passwords, and
IP
addresses, but
provides no type of encryption. These basic security features are
sufficient for most environments, in which sensitive data is not being
transferred. To ensure that data and communication between the
MasterSwitch
PDU
and the client interfaces, such as Telnet and the
Web browser, cannot be captured, you can provide a greater level of
security by enabling
MD5
authentication (described below) for the Web
interface.
MD5
authentication
(Web interface)
The Web interface option for
MD5
authentication enables a higher level
of access security than the basic
HTTP
authentication scheme. The
MD5
scheme is similar to
CHAP
and
PAP
remote access protocols.
Enabling
MD5
implements the following security features:
•
The Web server requests a user name and a password phrase
(distinct from the password). The user name and password
phrase are not transmitted over the network, as they are in
basic authentication. Instead, a Java login applet combines the
user name, password phrase, and a unique session challenge
number to calculate an
MD5
hash number. Only the hash num-
ber is returned to the server to verify that the user has the cor-
rect login information;
MD5
authentication does not reveal the
login information.
•
In addition to the login authentication, each form post for config-
uration or control operations is authenticated with a unique chal-
lenge and hash response.
•
After the authentication login, subsequent page access is
restricted by
IP
addresses and a hidden session cookie. (You
must have cookies enabled in your browser.) Pages are trans-
mitted in their plain-text form, with no encryption.
Continued on next page