Authentication is among the most important concepts in security, but most people take a fatally simplistic approach to the matter. We will explore some of the concepts of authentication, including an idea for a more advanced view of authentication that violates common wisdom regarding a related topic.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 1: Access Control
- Identity Management
- Centralised vs Decentralised Access Control
- Directories
- Single Sign-On
- Kerberos
- Kerberos Process
- Kerberos Weaknesses
- SESAME
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41
Proxy servers are being increasingly deployed at organizations for performance benefits; however,
there still exists drawbacks in ease of client authentication in interception proxy mode mainly for Open
Source Proxy Servers.
Technically, an interception mode is not designed for client authentication, but implementation in
certain organizations does require this feature. In this paper, we focus on the World Wide Web, highlight
the existing transparent proxy authentication mechanisms, its drawbacks and propose an authentication
scheme for transparent proxy users by using external scripts based on the clients Internet Protocol
Address. This authentication mechanism has been implemented and verified on Squid-one of the most
widely used HTTP Open Source Proxy Server.
What are JSON Web Tokens and Why Should I Care?Derek Edwards
In this talk originally presented at the San Diego Javascript meetup on December 3rd 2014, I explain how JSON Web Tokens can be used as a replacement for session/cookie-based user authentication in modern web applications.
Since web applications are increasingly leveraging client-side MVC frameworks such as Ember.JS, Angular and Backbone, traditional authentication schemes that leverage cookies are less desirable. I explain the key challenges with traditional authentication schemes and how JWT can be used as a very clean alternative.
This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 1: Access Control
- Identity Management
- Centralised vs Decentralised Access Control
- Directories
- Single Sign-On
- Kerberos
- Kerberos Process
- Kerberos Weaknesses
- SESAME
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41
Proxy servers are being increasingly deployed at organizations for performance benefits; however,
there still exists drawbacks in ease of client authentication in interception proxy mode mainly for Open
Source Proxy Servers.
Technically, an interception mode is not designed for client authentication, but implementation in
certain organizations does require this feature. In this paper, we focus on the World Wide Web, highlight
the existing transparent proxy authentication mechanisms, its drawbacks and propose an authentication
scheme for transparent proxy users by using external scripts based on the clients Internet Protocol
Address. This authentication mechanism has been implemented and verified on Squid-one of the most
widely used HTTP Open Source Proxy Server.
What are JSON Web Tokens and Why Should I Care?Derek Edwards
In this talk originally presented at the San Diego Javascript meetup on December 3rd 2014, I explain how JSON Web Tokens can be used as a replacement for session/cookie-based user authentication in modern web applications.
Since web applications are increasingly leveraging client-side MVC frameworks such as Ember.JS, Angular and Backbone, traditional authentication schemes that leverage cookies are less desirable. I explain the key challenges with traditional authentication schemes and how JWT can be used as a very clean alternative.
This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
AAA stands for Authentication, Authorization and Accounting.
This protocol was defined by the Internet Engineering Task Force in RFC 6733 and is intended to provide
an Authentication, Authorization, and Accounting (AAA) framework for applications such as network
access or IP mobility in both local and roaming situations.
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Managing secrets in a distributed cloud world requires a new approach to security. Applications and systems are now frequently created and destroyed. The network between distributed clouds, applications, and systems is low-trust, furthering the complexities of secrets sprawl. So, what is the solution?
HashiCorp Vault seeks to solve the problem of secret sprawl by centralizing secrets management in a scalable, repeatable workflow to be able to create, manage, and revoke secrets as needed.
Watch this webinar to learn:
- How Vault addresses today’s security threats
- How security teams can use Vault to store and manage all their secrets across their private and public infrastructure, globally.
- How Adobe reduced secret sprawl, increased operational performance of a key security process, and processes 100 trillion transactions with Vault
For full webinar recording: https://hashicorp.com/resources/eliminating-secret-sprawl-in-the-cloud
We've all used SSH dozens of times, but do we really understand how to SSH properly? Using such a powerful tool can come with a lot of risks, especially when we're on highly distributed teams with well-trodden workflows that can be tough to change. In an era of sophisticated phishing attacks and threats always knocking at our doors, we could all use a little help with making sure our infrastructure is as secure as it can be.
Join Gus Luxton from Gravitational as he talks about how you too can level up your SSH game - switch from keys to certificates, funnel your access through a bastion server, set up 2-factor authentication and cross-reference your users with an external identity provider. For reference, check out Gus’ blog on the topic, How to SSH Properly.
Industry Best Practices For SSH - DevOps.com WebinarTeleport
We've all used SSH dozens of times, but do we really understand how to SSH properly? Using such a powerful tool can come with a lot of risks, especially when we're on highly distributed teams with well-trodden workflows that can be tough to change. In an era of sophisticated phishing attacks and threats always knocking at our doors, we could all use a little help with making sure our infrastructure is as secure as it can be. Join Gus Luxton from Gravitational as he talks about how you too can level up your SSH game - switch from keys to certificates, funnel your access through a bastion server, set up 2-factor authentication and cross-reference your users with an external identity provider. For reference, check out Gus’ blog on the topic, How to SSH Properly.
https://gravitational.com/blog/how-to-ssh-properly/
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityGlobalSign
Our Chief Product Officer, Lila Kee spoke at Cloud Computing Expo in New York.
The talk is about how cloud-based service providers must build security and trust into their offerings. It is imperative that as these cloud-based service providers make identity, security, and privacy easy for their customers as customers become more reliant on these offerings. The slides include the best practices for cloud-based service providers and how a superior user experience that is backed by security features will enable business growth and reduce customer churn.
You can find out more in our webinar: https://www.globalsign.com/en/lp/webinar-the-business-advantages-of-ssl-as-a-service/
На собеседованиях часто спрашивают, как протестировать логин форму, и на этом знакомство большинства тестировщиков с тестированием аутентификации заканчивается.
Мы поговорим об авторизации и аутентификации (AuthN & AuthZ): в чем их отличие и как перестать их путать; какие виды AuthN & AuthZ существуют на рынке; в чем специфика работы протоколов Oauth 2.0 и OpenID; какие лучшие практики тестирования безопасности AuthN & AuthZ и где попрактиковаться в тестирования той самой логин формы.
Доклад будет полезен функциональным тестировщикам и тем, кто интересуется технологическими аспектами AuthN & AuthZ.
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
apidays Helsinki & North 2023
API Ecosystems - Connecting Physical and Digital
June 5 & 6, 2023
API authorization with Open Policy Agent
Anders Eknert, Developer Advocate at Styra
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
This presentation will give you short and not very technical overview about claims-based authentication.
The claims-based authentication will be the way to almost all Microsoft web-based platforms around. It is more complex than old username-password method but also more secure and general.
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
Dale Olds, VMware
A pinch of authentication theory and methods, a taste of the sweet and the bitter of the much maligned password, and then larger portions of federated authentication protocols from
SAML to OpenID Connect, clearing up along the way some confusion between federated authentication and tokens used for delegated authorization.
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
Dale Olds, VMware
A pinch of authentication theory and methods, a taste of the sweet and the bitter of the much maligned password, and then larger portions of federated authentication protocols from
SAML to OpenID Connect, clearing up along the way some confusion between federated authentication and tokens used for delegated authorization.
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
Program Derivation of Operations in Finite Fields of Prime OrderCharles Southerland
The higher-quality version of my undergraduate research presentation (still some typos and missing formulas, but better explanations, more pleasing layout, more coherent analysis, etc.). Presented at Oklahoma Computing Consortium 2011.
The original version of my undergraduate research presentation that I was graded on (I got an A, but this version is certainly inferior to the later version of the presentation, by which time I also had better insight into my results).
An idea for a log and backup policy that reduces the possibility of and potential damage from insider threats. Presented at Information Warfare Summit 2013.
C is not a dead programming language, and it should seriously be considered a prime candidate for a new programming language to lean by any who do not already know it. This was my presentation for SpringBeta 2013.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
2. The Three “A”s
●Authentication
●Authorization
●Accounting /
Audting
3. Accounting / Auditing
● Log absolutely everything.
● Know what is in your logs.
● Protect your logs.
● See my IWS talk from last
year.
4. Accounting / Auditing
● Log absolutely everything.
● Know what is in your logs.
● Protect your logs.
● SHAMELESS PLUG:
See my IWS talk from last
year.
5. Authorization
● Authorization is the
process of determining
and enforcing which
privileges an
authenticated entity has.
● Most people use Access
Control Lists to keep track
of which entities have
which privileges
6. Authentication != Authorization
It is considered best practice to separate
authentication from authorization so that
authorization can be easily managed without
fear of accidentally weakening the
authentication system and vice versa.
This is generally accomplished by keeping a
username and password database used for
authentication separate from the collection of
access control lists used for authorization.
8. Username-Only Systems
● Without authentication,
anyone would be able to
lie about their identity.
● There would be no
accountability and no
effective security.
9. Password-Only Systems
● Unfortunately, a flawed
authentication system
can be about as bad as
no authentication
system at all.
10. Most Authentication Systems
● The vast majority of
authentication systems are
based on a username and
password.
● ANOTHER SHAMELESS PLUG:
My IWS talk from 2011 has
some suggestions on how to
approach passwords.
11. Password Storage
● As a password is only
used for authentication,
only a hash of the
password must be
stored, not the password
itself.
● FINAL SHAMELESS PLUG:
My IWS talk from 2012
covers how to deal with
passwords correctly.
12. Credentials
More generally, authentication is
accomplished through the verification of
certain authentication credentials that an
entity may have access to.
Usernames and passwords are two
common types of authentication
credentials, but there are also other
types of authentication credentials.
13. API Tokens
● Another type of
authentication credential is
an API token, which generally
allows a third-party
application to access certain
functionality
programmatically.
● It may be an appropriate
option in some cases,but it is
awfully similar to the
password-only system.
14. OpenID / OAuth
● OpenID is a system that
uses URLs from third-party
websites as an
authentication credential.
● OAuth is a system that
allows the server to
communicate with one of
a few providers to obtain,
among other things,
authentication credentials
for a user.
15. Cookies
● A cookie is an
authentication credential
that is managed by the
browser and
automatically sent to the
server with every
request.
16. Captcha
● A captcha is an
authentication credential
that tries to verify that a
user is a human and not
a program.
17. Simple Browser Fingerprint
● A simple browser
fingerprint (user agent
string, some HTTP
behavior) is often used
as an authentication
credential when cookies
aren't available for some
reason.
18. Advanced Browser Fingerprint
● When simple browser
fingerprinting is not enough,
more advanced techniques
are sometimes used.
● Sites can use a Flash cookie
as an authentication
credential.
● Recently there have been
news articles about some
sites which use canvas
rendering behaviors as an
authentication credential.
19. IP Address
● A popular authentication
credential with some
administrators is the IP
address of the computer
attempting to
authenticate.
20. Client-Side SSL
● In my opinion, a client-side SSL
certificate can make for a particularly
good authentication credential in
addition to providing improved transport
security.
21. Multi-Factor Token
● An increasingly popular
authentication credential is a
multi-factor authentication token.
● In addition to the iconic RSA key
fobs and the increasingly popular
RFC6238-based systems (like
Google Authenticator), providers
like Yubico, Toopher, Duo, and
Transakt are having more
mainstream adoption.
● Unfortunately, my own multi-factor
system is still on the back-burner
22. Stateful Credentials
Some credentials
have a specific
relationship to the
state of the client
and/or server.
23. XSRF Tokens
● Cross-site request forgery
is a technique often used
in phishing in order to
perform actions and/or
request data while
authenticated using the
stored browser cookie.
● An XSRF token is an
authentication credential
that is required for the
next form submission to
be accepted.
24. Anonymous Cookies
● Nowadays, almost all websites will send the
browser a cookie as soon as they connect so that
they can begin tracking behavior as quickly as
possible.
● When this cookie is first received, the only
information associated with it is that the browser
did not just arrive for the first time.
25. Cookie Re-association
● Should the user log in,
the state of this
authentication credential
will change from being
associated with an
anonymous browser to
being an associated with
an authenticated user.
26. Partially De-authenticated Cookie
As another example of a stateful
authentication credential, if a user were
accessing a website for some time after
having authenticated, it may be
permissable to continue to browse the site,
but their cookie has changed state to the
point where it will be necessary to re-authenticate
before, e.g., purchasing an
item or sending an email, whereas these
actions would not have required re-authentication
before the threshold had
passed.
27. Credential Dependencies
● In some cases,
credentials can be
thought of as
depending on other
pre-requisite
credentials.
28. Unsalted Password Hashes
● Even unsalted
password hashes have
dependencies:
namely, the password.
● DON'T FORGET:
If you use unsalted
password hashes, you
will be vulnerable to
rainbow tables.
29. Salted Password Hashes
● The salted password
hash depends on having
access to the password
and the per-user salt
(another authentication
credential).
● Access to the per-user
salt depends on having
the username.
● You could even consider
having access to the
database credentials as
yet another dependency.
30. Typical Setup of Today
● An anonymous cookie is used from the beginning (in
paywalls, the cookie even changes state).
● To login, the cookie is provided along with the XSRF
token, the username, and the password.
● The username gets the salt, the salt and password get
the hash, and if the hash matches and if the XSRF
token corresponds to the cookie's, then the user is
logged in.
31. Multi-Credential Login
● In more secure systems, even more authentication
credentials are required at the same time.
● It is not uncommon for some sites' login systems to
depend on most of the following credentials
simultaneously: a username, a password, a cookie,
an XSRF token, a captcha, a multi-factor token, an IP
address, a browser fingerprint, and a canvas
fingerprint.
32. Virtual Credentials
● It can be convenient to
think of certain
combinations of stateful
credentials as being the
dependencies for a kind of
virtual credential.
● For example, whatever
specific combination of
those credentials can be
thought of as the
dependencies for the
“logged in” credential.
33. Region Blocking
● In some cases, specific IP address ranges can
help to authenticate whether a user is in a
particular geographic area.
● Hmm... some of these more complicated
authentication concepts look like
authorization, and that's bad, right?
34. The Blurry Line
Now consider a web app that allows you to
behave as an end user once you've logged
in, but in order to behave as an
administrator, you must be logged in and
come from a specific IP address.
Is this authentication or authorization?
35. Even Blurrier
Now what if instead of coming from a
specific IP address, you were required to
use whatever multi-factor token you've set
up?
Especially given the notion of virtual
credentials, couldn't authorization simply
be a matter of authenticating some specific
virtual credential with some specific set of
credential dependencies?
36. But You Said We Should Use ACLs!
● You could shoehorn
some level of
awareness of these
authentication ideas
into your ACLs.
● Unfortunately, that
would likely make
your ACLs
nightmarishly
complex, thus
defeating the
purpose of ACLs.
37. Authorization as Virtual Credentials
● If we instead look at
authorization as nothing
more than virtual
credentials, then access
to resources would
simply be a matter of
authenticating these
virtual credentials.
● The equivalent function
of ACLs would then be
encoded in the
dependencies of virtual
credentials and group
membership.
38. Example (Part 1)
A user goes to a website, where they are given
a cookie.
The recorded IP address, the browser
fingerprint, and the cookie now give them the
virtual credential of “anonymous user”.
This virtual credential authorizes them to
access various pages on the website.
39. Example (Part 2)
● The user then goes to the login page,
where they are given an XSRF token
that will be associated with their
cookie.
● The IP address, the browser
fingerprint, and (obviously) the cookie
are still checked every single request
to continue to authenticate the user.
40. Example (Part 3)
● The user enters their username,
password, and MFA token into the login
form and submits it.
● The server immediately checks that the
IP address, the browser fingerprint, the
cookie, and the XSRF token all match,
and if they do, the user now has the
virtual credential for “authorized form
submission”.
41. Example (Part 4)
● Since the user has the “authorized form
submission” credential, the server uses
the username to request the per-user
salt from the database.
● The server then uses the password and
the per-user salt to get the calculated
salted password hash.
42. Example (Part 5)
● The server then uses the username to
request the stored salted password
hash from the database.
● If the calculated salted password hash
matches the stored salted password
hash, then the user has the virtual
credential for “first-factor
authenticated”.
43. Example (Part 6)
● The server uses the username to
request the MFA key from the
database.
● The server uses the MFA key and the
timestamp to calculate the expected
MFA token.
● If the expected MFA token matches the
MFA token supplied by the user, the
user will have the virtual credential for
“second-factor authenticated”.
44. Example (Part 7)
● Since the user has the “first-factor
authenticated” and “second-factor
authenticated” virtual credentials, the
user now has the “multi-factor
authenticated” virtual credential.
● The user can browse the site so long as
the IP address, browser fingerprint, and
cookie match, and as long the time
since acquiring the “multi-factor
authenticated” credential is less than
25 minutes.
45. Example (Part 8)
● Suppose the user is also a moderator.
Then their name would be in the
“moderators” group.
● Whenever the user goes to a part of the
site that requires moderator priveleges,
all that is necessary is for that part of
the site to verify that the user has the
“moderator” virtual credential, which it
can do by checking that it has the
“multi-factor authenticated” virtual
credential and the “moderators group
member” credential.