Web Page Access Control

Using DRM to control access to websites and webpages

What is web page access control?

Webpage access control is the mechanism by which access to web pages is limited to specific users.

Web page access control may be achieved in a number of ways and fundamentally comes down to the authorization vs authentication discussion.  Webpages typically authenticaticate users with simple identity and password type of access control, the problems of which have been dealt with at enough length in the articles on web page login and web login.

There is another level of sophistication to web site access control, and that is to encrypt the information that makes up the web page (the underlying html, JavaScript or Active-X, pictures and so on) so that whilst the user is able to see the results on the screen, the underlying information is not accessible to them.

There are also two levels of sophistication when applying encryption in order to provide web page access control.

At the simplest level the encryption key is either a password that the user enters, or it is a password that is carried in the page itself, and is used dynamically to decrypt the underlying information and pass it into the web browser.

This has two obvious problems.  The first is that if a user actually enters the password, then the page may be attacked easily by a hacker using a dictionary attack.  Since passwords tend to be short and memorable this is not a realistic control approach, although surprisingly popular.  The second is that if the key is actually somewhere on the page, then it is not going to take someone long to build a tool to automatically find the key and apply it in order to decrypt the page information.  (Do a web search for html decrypter and you should get around 1 million results.)

At the more complex level you need an application to handle the access to the decryption key(s) and a special viewer to ensure that neither the content nor the underlying information can be accessed by the user although they are able to see the information they require on the screen.  It also ensures that locating and using the relevant decryption key is not simple for an attacker and makes the use of an exhaustive key attack (start with the value of 1, add 1 and keep going until you find it) impractical.

A different approach might be to use the system proposed in the OASIS SAML specification, but we have pointed out in the article on web login that implementation of such an approach is so challenging there are no useful examples to point to.  Only the unkind might say that it seems to be a technology solution for technologists who have so far found nothing that it really maps to.

So web page access control is best achieved by using an encryption technology, but you require something better than the trivial encryption methods if you are going to achieve any realistic security.