Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web authentication


Published on

Published in: Education
  • Be the first to like this

Web authentication

  1. 1. Web AuthenticationByPradeep J.V1
  2. 2. Web Authentication• Authentication is the process of determining whether someone orsomething is, in fact, who or what it is declared to be.• Authentication is accomplished by:– Something the user knows• e.g., password, PIN, pattern– Something the user has• e.g., ATM card, smart card– Something the user is• e.g., biometric characteristic, such as a fingerprint.2
  3. 3. Password Authentication• It is based on “something the userknows”.• Advantages:– Passwords require no special software on the users computer– Passwords authenticate the user directly because only the user knowsthe password.3
  4. 4. Password Authentication• Drawbacks:– Users cant remember strong passwords, so they write them down.– When passwords are forgotten, the password must be recovered,which is either expensive or insecure.– Users can share passwords. Revenue is lost when multiple users sharean account.– An administrator can discover the password and use it to masqueradeas the user.– The user must have a unique password for each site.4
  5. 5. Biometric Authentication• Authenticates a user through a unique physical characteristic.• Typically biometrics used arefingerprints, voice, face,typing pattern, etc.5
  6. 6. Biometrics• Advantages:– Biometrics directly authenticates the person, not indirectly through apassword or token.– Biometrics features are difficult to steal; thereby making biometricauthentication very strong.• Drawbacks:– Users computer must include the appropriate biometric sensor andsoftware. Reliable sensors are expensive.– False positives(wrongly accepting an invalid user) and false-negatives(denying a valid user).6
  7. 7. Token based authentication• Authentication through “something the user has”.• Example of a hardware/software token is RSA SecureID.7
  8. 8. Tokens• Advantages:– Tokens prevent a thief with a stolen password from accessing the website.– Tokens prevent accounts from being shared since the token must beduplicated.– Tokens require no special software on the users computer.• Drawbacks:– Tokens are expensive and must be replaced or refurbished every fewyears.– A lost token prevents a valid user from accessing the web site, whichdisrupts business or commerce.– Tokens are inconvenient since the user must manually enter the valueof the token as well as the password.8
  9. 9. PKI - Public Key Infrastructure• PKI is a specific implementation of asymmetric cryptography.• Relies on the use of digital certificates that are issued bycertificate authorities as a means to bind a user to an assignedkey pair.• A public key.   This is something that you make public - it is freelydistributed and can be seen by all users.• A corresponding (and unique) private key.   This is something thatyou keep secret - it is not shared amongst users.9
  10. 10. Data encryption using PKI10
  11. 11. Digital signature using PKI11
  12. 12. Key management in PKI12
  13. 13. Key management in PKI (contd)13
  14. 14. HTTPS• Most popular usage example of PKI is the HTTPS(Hypertext Transfer Protocol Secure) protocol.14
  15. 15. Public Key Infrastructure• Advantages:– Every modern browser has the built-in capability for public keyauthentication.– Public key authentication can be automatic and even transparent tousers.– Public key authentication is much stronger than passwords, becausethe authentication “secret” is stronger and is not shared with websites.– A single certificate can be used for many web sites, since the “secret”is not shared.15
  16. 16. Public Key Infrastructure• Drawbacks:– The complexity of the infrastructure:• The PKI model requires that the digital certificate binds the proofed identity of theuser to the value of the users public key. This seemingly simple requirementgenerates a great deal of Complexity: how is the identity proofed, who does theproofing, what are the liabilities if the identity proofing is wrong?– The PKI model focuses on identity and does not address theauthorization16
  17. 17. LDAP – Lightweight Directory Access Protocol• The Lightweight Directory Access Protocol is a protocol forquerying and modifying directory running over TCP/IP.• It is not a directory, a database or an information repository.– It is a protocol to access directory services.• Single Sign On systems mostly use LDAP authentication.– User is authenticated at site1; then accesses a resource atsite2• Drawbacks– Web is loosely coupled, consisting of many security domains.SAML is a standard that governs the transfer of assertionsbetween domains.17
  18. 18. LDAP – Lightweight Directory Access Protocol18• Client requests to bind to server.• Server accepts/denies bindrequest.• Client sends search request.• Server returns zero or moredirectory entries.• Server sends result code with anyerrors.• Client sends an unbind request.• Server sends result code andcloses socket.
  19. 19. OAuth – Open Authentication• A simple open standard for secure API authentication.• An authenticating protocol that allows internet users to approvean application to act on their behalf without the need for the userto share their password with the application.• In OAuth the service provider issues tokens and it involves theexchange of tokens/keys and signing of requests thus making it asecure protocol.19
  20. 20. OAuth20
  21. 21. OAuthAdvantages:•You dont have to create another profile on the net.•Fewer passwords to remember.•Do not have to submit a password to your application if user doesnot completely trust us.•User can prevent access to the application from the OAuth provider.Drawbacks:•User can not tailor the profile for your application (would requireadditional development).•Can be a bit confusing for the user having to create an account withOAuth providers if he / she does not have an account there already.21
  22. 22. ReferencesMSDN Security Development Center - - - – -
  23. 23. QUESTIONS ?23
  24. 24. THANK YOU24