Authentication in Web - Tech Hangout #4 - 2012.11.28

Uploaded on

* Tech Hangout – мероприятие, организованное разработчиками для разработчиков с целью обмена знаниями и опытом. Подобные встречи проводятся еженедельно по средам с 12:00 до 13:00 и охватывают …

* Tech Hangout – мероприятие, организованное разработчиками для разработчиков с целью обмена знаниями и опытом. Подобные встречи проводятся еженедельно по средам с 12:00 до 13:00 и охватывают исключительно инженерные темы. Формат данного ивента подразумевает под собой 30 минутный доклад на ранее определенную тему, и такую же по продолжительности дискуссию в формате круглого стола.
Если у вас есть неутомимое рвение к новым знаниям, профессиональному росту, или же вы хотите поделиться своим опытом - добро пожаловать в Hangout Club!

Присоединяйтесь к обсуждению -
Читайте нас на -

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. a little bit about Authentication in web Oleksii MiroshkoNov 28, 2012
  • 2. What is this presentation about?• basic principles of identity assurance• entry-level notion of establishing trusted communication channel• common authentication algorithms used in web-environmentWhat is this presentation not about?• building secure web-applications• improving UX of authentication process• attacks on systems and information
  • 3. Terminology the process whereby a network element recognizes a valid usersIdentification identity. the process of verifying the claimed identity of a user determination whether an identity should be granted access to a specific resource.Authentication
  • 4. Terminology something the userFactor •knows (password, PIN) •has (ATM card, smart card) •is (biometric characteristic). object which offers access to a specific resource for a time period without using username and passwordToken
  • 5. Symmetric cryptographyis an approach for ciphering messages which uses the same key for both encryption of plaintextand decryption of ciphertext My name is Sherlock Holmes. It txt = 1011001101100 is my business to know what other people don’t know. key = 101101101101101 encrypt(text, key) enc = 0000010110111 7149eb638ead700510a85537c5e7bf9952298c05 key = 101101101101101 ea3e72c89102ba4860d54dbd4892489d5973ef3a d50042c1f1464f70bcb1ce228738495274c890246 dec = 1011001101100 66879bb218eb522df231d2f534b5d8605fa1f94c9a 556a3c984ea98 decrypt(ctext, key) My name is Sherlock Holmes. It is my business to know what other people don’t know.DES, AES (Rijndael), Blowfish, RC4 etc
  • 6. Asymmetric cryptographyMy name is Sherlock Holmes. It Asymmetric cryptographic system requires twois my business to know what separate keys: one key encrypts the source text,other people don’t know. and the other decrypts the ciphertext encrypt(text, key)8df626e0fae211546679c8e6861a59e60590ab56b Trapdoor function2a7506a710c0058389941c1f4ec3eb8e57542f73e a function that is easy to compute in one81d205a439a998d52eae10e95ebafb151d7a14784963f1c115f36f95c1cd007a51c71cde71e60785a direction, yet theres no known ways to find ane5af5cf4a0b0061ca2a2b1906519 opposite transition in comparable time without decrypt(ctext, key) special information, called the "trapdoor"446fbbb59c0a1c37c80662690bd782b656dd6b06e26b06bfbb42523d60364fac647163169478f20ffa64cff90397538c03b1197f762e83edf851ea6779754799239d18872fb030006673660262586a89dbbc8418722503b88 RSA decrypt(ctext, key2) T = TAB mod nMy name is Sherlock Holmes. It C = TA mod nis my business to know what T = CB mod nother people don’t know.
  • 7. Public-key authentication Generating RSA key pair (8-bit)OWNER {163, 77} Secret Public {7, 77} Trust me, look at my public key 27 mod 77 128 % 77 Prove me. Decrypt 51 5151163 mod 77 ... 2 2 2=2 Exactly!
  • 8. Diffie - Hellman key exchange Charlie Alice Bob lets use p and q as public constants Let my Let my agreed private private be B be A Ive selected private A and tell you the result of pA mod q Ive selected private B and the result of pB mod q isIve got pB. Now I can Ive got pA. Now I willget pAB as pA * pB get pAB as pA * pB
  • 9. Certificate-based authentication CERTIFICATION CENTER Yes, A is certified to use P which we gave her Does P belong to A? I am Alice. Look at my Public key Yes, P belongs to A indeed. But is it really you? Can you prove that you have corresponding private key? Decrypt 51...
  • 10. OpenID USER OpenID APP provider Introduce yourself, please No, just take my OpenID Got client for you OK. Ask to come. Im Alice. Here is my password Valid. Take this 36723 and return to app Im back. Ive got this 36723 also Whose is 36723 ? Welcome, Alice Alice Youre authenticatedThings to remember•OpenID provides authentication only (no authorisation)•Theres no identification against any global user database•Every site can become a provider and identifiers will always be its URLs•The protocol is strictly equal for all providers
  • 11. OAuth 1.0OAuth is an HTTP-based authorisation protocol which gives third-party applications scoped access to a protected resource on behalf of the resource owner. USER OAuth OAuth client server Can I see your childhood photos? Easily. On the green service Id like to see some photos OK, get owner here and give 628 Go to green man and show 628 Knock, knock. Take 628 Found. The blue guy asked to see some photos. Are they yours? Sure, I can prove. Take my login and password Do you really want to allow him access? Yes, I do OK. Give this him 793 Take this 793 , blue guy Me again. I have this now 793 Another story, bro. Take photos
  • 12. Using OAuth for authenticationOAuth 1.0 was designed to be an authorization mechanism, thus:• authentication is encapsulated inside authorisation process• user identity is treated as a private system asset• theres no defined ways of proving identity - it is completely up to system• its impossible to build generic auth solution for every service using OAuth Authentication with OAuth is like proving that credit card is yours by providing the PIN code.
  • 13. OAuth 2.0 You can find detailed overview of whats new in OAuth 2 comparing to OAuth here:• Better support for non-browser based /05/introducing-oauth-2-0/ applications.• Separation between authorisation and authentication• Reduced lifetime of access tokens• Client applications are no longer required in order to have data encryption