web authentication
play

Web Authentication Thierry Sans Several Methods Local - PowerPoint PPT Presentation

Nov 13, 2023 •466 likes •615 views

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

  1. Web Authentication Thierry Sans

  2. Several Methods • Local authentication with login and password • Token-based authentication • Third party authentication

  3. Local Authentication

  4. How to store and verify password? • Clear Data can be hacked A key is needed to store • Encrypted and verify passwords • Hash Weak passwords have known hash Salt and hash must be stored • Salted Hash

  5. Basic Authentication (stateless) (Standard) RFC 2617 ➡ Login and password are sent in clear (Base64 encoding) in the headers "authorization" $ curl -u login:password http://url $ curl http://admin:password@url

  6. Session Authentication (stateful) (Standard) RFC 6265 1. The user enters a login and password and the frontend send them to the backend (POST request) 2. The backend verifi es the login/password based on information stored on the server (usually in the database) 3. The backend stores user information in a session 4. The backend grants access to resources based on the information contained in the session

  7. Do/Don't with passwords • On the client side, do send passwords in: ✓ headers (automatic with basic authentication) ✓ body (POST request with session authentication) ๏ never in the URL • On the server, do store passwords as ✓ salted hash passwords only ๏ never in clear

  8. Token-based Authentication

  9. HMAC (Standard) RFC 2104 For each authenticated HTTP request, the frontend computes and send a message digest that combines the user's secret and some request arguments ✓ User's password never transit back and forth (except the first time it is exchanged maybe) ✓ Digest can be send in clear

  10. JSON Web Token (Standard) RFC 7519 Encode user information in a string that is URL safe (token) Token are usually authenticated and sometimes encrypted ✓ Web token can be used for stateful but yet session-less authentication ๏ revoking tokens can be complicated https://medium.com/@yuliaoletskaya/can-jwt-be-used-for-sessions-4164d124fe23

  11. Third-party Authentication

  12. Single-Sign-On (SSO) 1998 • Pubcookie (a.k.a webiso) 2005 • OpenID 2005 • SAML (a.k.a Shibboleth) • OAuth 2010 • Mozilla Persona 2011 among others …

  13. OAuth 2 (Standard) RFC 6749 1. The backend redirects the user to the third-party login-page 2. Third-party asks and verify the login/password based on the third- party user information 3. Third party redirects the user back to the application with a OAuth token and verifier in the url 4. Backend verifi es the token with third party 5. Backend starts a session ➡ User's login/password never transit by the application frontend nor backend

  14. source: Choosing an SSO Strategy: SAML vs OAuth2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Thermanator: Thermanator: Ercan Ozturk Gene Tsudik Thermal Residue Attacks Thermal Residue

Thermanator: Thermanator: Ercan Ozturk Gene Tsudik Thermal Residue Attacks Thermal Residue

5/25/2019 Tyler Kaczmarek Thermanator: Thermanator: Ercan Ozturk Gene Tsudik Thermal Residue Attacks Thermal Residue Attacks University of California, Irvine A Common Scenario: 1. You arrive at work (shared workspace) 2. Go to your desk

431 views • 15 slides
Digest Based Authentication James Undery - Ubiquity Sanjoy Sen - Nortel Networks Vesa Torvinen -

Digest Based Authentication James Undery - Ubiquity Sanjoy Sen - Nortel Networks Vesa Torvinen -

Digest Based Authentication James Undery - Ubiquity Sanjoy Sen - Nortel Networks Vesa Torvinen - Ericsson Digest Authentication SIP & RFC 2617 Its deployed today Its simple UAC to UAS UAC to proxy draft-undery-sip-auth-00 proxy

224 views • 8 slides
Cyber Readiness Program Presented by: Henry Vido, Program Director, CRI Mohamed Mahdy,

Cyber Readiness Program Presented by: Henry Vido, Program Director, CRI Mohamed Mahdy,

Cyber Readiness Program Presented by: Henry Vido, Program Director, CRI Mohamed Mahdy, Information Technology & Administration Director, IBAG The Cyber Readiness Institute empowers small and medium- sized organizations with practical

262 views • 15 slides
Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb

Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb

Hash-Based Passwords Steve Bellovin h4ps://www.cs.columbia.edu/~smb smb 1 Problem Area Clients and servers frequently store plaintext passwords Used for

289 views • 9 slides
Wearable Computing Gabriel Reyes CS-HCI PhD Student School of Interactive Computing CS 4470 /

Wearable Computing Gabriel Reyes CS-HCI PhD Student School of Interactive Computing CS 4470 /

Wearable Computing Gabriel Reyes CS-HCI PhD Student School of Interactive Computing CS 4470 / CS 6456 W. Keith Edwards Quick Experiment How many forms of computing are you wearing today? (Dont count whats in your purse or

819 views • 60 slides
Ubiquitous computing CS 347 Michael Bernstein Announcements Abstract drafts due next Friday

Ubiquitous computing CS 347 Michael Bernstein Announcements Abstract drafts due next Friday

Ubiquitous computing CS 347 Michael Bernstein Announcements Abstract drafts due next Friday Project Ideas feedback to come You can iterate, pivot and ideate based on our feedback Dont feel compelled to go exactly with the ones we liked 2

721 views • 36 slides
Technology Shawn Hardin Co-founder & CEO, Mind Pirate Unni Narayanan

Technology Shawn Hardin Co-founder & CEO, Mind Pirate Unni Narayanan

Building Games for the Next Consumer Mega Trend: Wearable Technology Shawn Hardin Co-founder & CEO, Mind Pirate Unni Narayanan Co-founder & VP, Game Prod/Ops, Mind Pirate This Story We Know Well Computers Continue To

840 views • 29 slides
Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles

Human-Computer Interaction 12. Design Principles (3) Last class Normans design principles Recap. Usability Usability is a measure of the effectiveness, efficiency and satisfaction with which specified users can achieve specified goals in a

826 views • 68 slides

More recommend