Your SlideShare is downloading. ×
Web authentication
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web authentication

161
views

Published on

Published in: Education

2 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
161
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
2
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • 1. Installing CA (Certificate Authority) root certificate - The browser vendor receives the CA root certificate from the CA; and distributes it as part of the browser installation package. 2. Signing Web server certificate - The Web server owner sends the certificate request to the CA. The CA, acting as the RA (Registration Authority), verifies the Web server identity. Then the CA signs (or issues) the Web server's certificate. 3. Validating Web server certificate - When you use the browser to visit the Web server, the browser, acting as the VA (Validation Authority), receives the Web server's certificate and validates it against the CA root certificate. If the browser finds no issue in the server certificate, it starts to use the public key embedded in the server certificate to secure the communication with the server.
  • Transcript

    • 1. Web AuthenticationByPradeep J.V1
    • 2. Web Authentication• Authentication is the process of determining whether someone orsomething is, in fact, who or what it is declared to be.• Authentication is accomplished by:– Something the user knows• e.g., password, PIN, pattern– Something the user has• e.g., ATM card, smart card– Something the user is• e.g., biometric characteristic, such as a fingerprint.2
    • 3. Password Authentication• It is based on “something the userknows”.• Advantages:– Passwords require no special software on the users computer– Passwords authenticate the user directly because only the user knowsthe password.3
    • 4. Password Authentication• Drawbacks:– Users cant remember strong passwords, so they write them down.– When passwords are forgotten, the password must be recovered,which is either expensive or insecure.– Users can share passwords. Revenue is lost when multiple users sharean account.– An administrator can discover the password and use it to masqueradeas the user.– The user must have a unique password for each site.4
    • 5. Biometric Authentication• Authenticates a user through a unique physical characteristic.• Typically biometrics used arefingerprints, voice, face,typing pattern, etc.5
    • 6. Biometrics• Advantages:– Biometrics directly authenticates the person, not indirectly through apassword or token.– Biometrics features are difficult to steal; thereby making biometricauthentication very strong.• Drawbacks:– Users computer must include the appropriate biometric sensor andsoftware. Reliable sensors are expensive.– False positives(wrongly accepting an invalid user) and false-negatives(denying a valid user).6
    • 7. Token based authentication• Authentication through “something the user has”.• Example of a hardware/software token is RSA SecureID.7
    • 8. Tokens• Advantages:– Tokens prevent a thief with a stolen password from accessing the website.– Tokens prevent accounts from being shared since the token must beduplicated.– Tokens require no special software on the users computer.• Drawbacks:– Tokens are expensive and must be replaced or refurbished every fewyears.– A lost token prevents a valid user from accessing the web site, whichdisrupts business or commerce.– Tokens are inconvenient since the user must manually enter the valueof the token as well as the password.8
    • 9. PKI - Public Key Infrastructure• PKI is a specific implementation of asymmetric cryptography.• Relies on the use of digital certificates that are issued bycertificate authorities as a means to bind a user to an assignedkey pair.• A public key.   This is something that you make public - it is freelydistributed and can be seen by all users.• A corresponding (and unique) private key.   This is something thatyou keep secret - it is not shared amongst users.9
    • 10. Data encryption using PKI10
    • 11. Digital signature using PKI11
    • 12. Key management in PKI12
    • 13. Key management in PKI (contd)13
    • 14. HTTPS• Most popular usage example of PKI is the HTTPS(Hypertext Transfer Protocol Secure) protocol.14
    • 15. Public Key Infrastructure• Advantages:– Every modern browser has the built-in capability for public keyauthentication.– Public key authentication can be automatic and even transparent tousers.– Public key authentication is much stronger than passwords, becausethe authentication “secret” is stronger and is not shared with websites.– A single certificate can be used for many web sites, since the “secret”is not shared.15
    • 16. Public Key Infrastructure• Drawbacks:– The complexity of the infrastructure:• The PKI model requires that the digital certificate binds the proofed identity of theuser to the value of the users public key. This seemingly simple requirementgenerates a great deal of Complexity: how is the identity proofed, who does theproofing, what are the liabilities if the identity proofing is wrong?– The PKI model focuses on identity and does not address theauthorization16
    • 17. LDAP – Lightweight Directory Access Protocol• The Lightweight Directory Access Protocol is a protocol forquerying and modifying directory running over TCP/IP.• It is not a directory, a database or an information repository.– It is a protocol to access directory services.• Single Sign On systems mostly use LDAP authentication.– User is authenticated at site1; then accesses a resource atsite2• Drawbacks– Web is loosely coupled, consisting of many security domains.SAML is a standard that governs the transfer of assertionsbetween domains.17
    • 18. LDAP – Lightweight Directory Access Protocol18• Client requests to bind to server.• Server accepts/denies bindrequest.• Client sends search request.• Server returns zero or moredirectory entries.• Server sends result code with anyerrors.• Client sends an unbind request.• Server sends result code andcloses socket.
    • 19. OAuth – Open Authentication• A simple open standard for secure API authentication.• An authenticating protocol that allows internet users to approvean application to act on their behalf without the need for the userto share their password with the application.• In OAuth the service provider issues tokens and it involves theexchange of tokens/keys and signing of requests thus making it asecure protocol.19
    • 20. OAuth20
    • 21. OAuthAdvantages:•You dont have to create another profile on the net.•Fewer passwords to remember.•Do not have to submit a password to your application if user doesnot completely trust us.•User can prevent access to the application from the OAuth provider.Drawbacks:•User can not tailor the profile for your application (would requireadditional development).•Can be a bit confusing for the user having to create an account withOAuth providers if he / she does not have an account there already.21
    • 22. ReferencesMSDN Security Development Center -http://msdn.microsoft.com/en-us/security/aa570330.aspxAuthentication -http://www.authenticationworld.com/index.phpPKI - http://pst.libre.lu/mssi-luxmbg/p3/01_base-lex-art.htmlLDAP – http://directory.apache.org/api/five-minutes-tutorial.htmlOAuth - http://oauth.net/about/22
    • 23. QUESTIONS ?23
    • 24. THANK YOU24

    ×