SlideShare une entreprise Scribd logo

Authentication Concepts

Télécharger en tant que ODP, PDF
Charles Southerland
Charles Southerland

Authentication is among the most important concepts in security, but most people take a fatally simplistic approach to the matter. We will explore some of the concepts of authentication, including an idea for a more advanced view of authentication that violates common wisdom regarding a related topic.

Technologie
1  sur  52
Authentication Concepts Charles Southerland Information Warfare ● Summit 7 October 1, 2014
The Three “A”s ●Authentication ●Authorization ●Accounting / Audting
Accounting / Auditing ● Log absolutely everything. ● Know what is in your logs. ● Protect your logs. ● See my IWS talk from last year.
Accounting / Auditing ● Log absolutely everything. ● Know what is in your logs. ● Protect your logs. ● SHAMELESS PLUG: See my IWS talk from last year.
Authorization ● Authorization is the process of determining and enforcing which privileges an authenticated entity has. ● Most people use Access Control Lists to keep track of which entities have which privileges
Authentication != Authorization It is considered best practice to separate authentication from authorization so that authorization can be easily managed without fear of accidentally weakening the authentication system and vice versa. This is generally accomplished by keeping a username and password database used for authentication separate from the collection of access control lists used for authorization.
Authentication Authentication is the process of verifying that entities truly are what they identify themselves as.
Username-Only Systems ● Without authentication, anyone would be able to lie about their identity. ● There would be no accountability and no effective security.
Password-Only Systems ● Unfortunately, a flawed authentication system can be about as bad as no authentication system at all.
Most Authentication Systems ● The vast majority of authentication systems are based on a username and password. ● ANOTHER SHAMELESS PLUG: My IWS talk from 2011 has some suggestions on how to approach passwords.
Password Storage ● As a password is only used for authentication, only a hash of the password must be stored, not the password itself. ● FINAL SHAMELESS PLUG: My IWS talk from 2012 covers how to deal with passwords correctly.
Credentials More generally, authentication is accomplished through the verification of certain authentication credentials that an entity may have access to. Usernames and passwords are two common types of authentication credentials, but there are also other types of authentication credentials.
API Tokens ● Another type of authentication credential is an API token, which generally allows a third-party application to access certain functionality programmatically. ● It may be an appropriate option in some cases,but it is awfully similar to the password-only system.
OpenID / OAuth ● OpenID is a system that uses URLs from third-party websites as an authentication credential. ● OAuth is a system that allows the server to communicate with one of a few providers to obtain, among other things, authentication credentials for a user.
Cookies ● A cookie is an authentication credential that is managed by the browser and automatically sent to the server with every request.
Captcha ● A captcha is an authentication credential that tries to verify that a user is a human and not a program.
Simple Browser Fingerprint ● A simple browser fingerprint (user agent string, some HTTP behavior) is often used as an authentication credential when cookies aren't available for some reason.
Advanced Browser Fingerprint ● When simple browser fingerprinting is not enough, more advanced techniques are sometimes used. ● Sites can use a Flash cookie as an authentication credential. ● Recently there have been news articles about some sites which use canvas rendering behaviors as an authentication credential.
IP Address ● A popular authentication credential with some administrators is the IP address of the computer attempting to authenticate.
Client-Side SSL ● In my opinion, a client-side SSL certificate can make for a particularly good authentication credential in addition to providing improved transport security.
Multi-Factor Token ● An increasingly popular authentication credential is a multi-factor authentication token. ● In addition to the iconic RSA key fobs and the increasingly popular RFC6238-based systems (like Google Authenticator), providers like Yubico, Toopher, Duo, and Transakt are having more mainstream adoption. ● Unfortunately, my own multi-factor system is still on the back-burner
Stateful Credentials Some credentials have a specific relationship to the state of the client and/or server.
XSRF Tokens ● Cross-site request forgery is a technique often used in phishing in order to perform actions and/or request data while authenticated using the stored browser cookie. ● An XSRF token is an authentication credential that is required for the next form submission to be accepted.
Anonymous Cookies ● Nowadays, almost all websites will send the browser a cookie as soon as they connect so that they can begin tracking behavior as quickly as possible. ● When this cookie is first received, the only information associated with it is that the browser did not just arrive for the first time.
Cookie Re-association ● Should the user log in, the state of this authentication credential will change from being associated with an anonymous browser to being an associated with an authenticated user.
Partially De-authenticated Cookie As another example of a stateful authentication credential, if a user were accessing a website for some time after having authenticated, it may be permissable to continue to browse the site, but their cookie has changed state to the point where it will be necessary to re-authenticate before, e.g., purchasing an item or sending an email, whereas these actions would not have required re-authentication before the threshold had passed.
Credential Dependencies ● In some cases, credentials can be thought of as depending on other pre-requisite credentials.
Unsalted Password Hashes ● Even unsalted password hashes have dependencies: namely, the password. ● DON'T FORGET: If you use unsalted password hashes, you will be vulnerable to rainbow tables.
Salted Password Hashes ● The salted password hash depends on having access to the password and the per-user salt (another authentication credential). ● Access to the per-user salt depends on having the username. ● You could even consider having access to the database credentials as yet another dependency.
Typical Setup of Today ● An anonymous cookie is used from the beginning (in paywalls, the cookie even changes state). ● To login, the cookie is provided along with the XSRF token, the username, and the password. ● The username gets the salt, the salt and password get the hash, and if the hash matches and if the XSRF token corresponds to the cookie's, then the user is logged in.
Multi-Credential Login ● In more secure systems, even more authentication credentials are required at the same time. ● It is not uncommon for some sites' login systems to depend on most of the following credentials simultaneously: a username, a password, a cookie, an XSRF token, a captcha, a multi-factor token, an IP address, a browser fingerprint, and a canvas fingerprint.
Virtual Credentials ● It can be convenient to think of certain combinations of stateful credentials as being the dependencies for a kind of virtual credential. ● For example, whatever specific combination of those credentials can be thought of as the dependencies for the “logged in” credential.
Region Blocking ● In some cases, specific IP address ranges can help to authenticate whether a user is in a particular geographic area. ● Hmm... some of these more complicated authentication concepts look like authorization, and that's bad, right?
The Blurry Line Now consider a web app that allows you to behave as an end user once you've logged in, but in order to behave as an administrator, you must be logged in and come from a specific IP address. Is this authentication or authorization?
Even Blurrier Now what if instead of coming from a specific IP address, you were required to use whatever multi-factor token you've set up? Especially given the notion of virtual credentials, couldn't authorization simply be a matter of authenticating some specific virtual credential with some specific set of credential dependencies?
But You Said We Should Use ACLs! ● You could shoehorn some level of awareness of these authentication ideas into your ACLs. ● Unfortunately, that would likely make your ACLs nightmarishly complex, thus defeating the purpose of ACLs.
Authorization as Virtual Credentials ● If we instead look at authorization as nothing more than virtual credentials, then access to resources would simply be a matter of authenticating these virtual credentials. ● The equivalent function of ACLs would then be encoded in the dependencies of virtual credentials and group membership.
Example (Part 1) A user goes to a website, where they are given a cookie. The recorded IP address, the browser fingerprint, and the cookie now give them the virtual credential of “anonymous user”. This virtual credential authorizes them to access various pages on the website.
Example (Part 2) ● The user then goes to the login page, where they are given an XSRF token that will be associated with their cookie. ● The IP address, the browser fingerprint, and (obviously) the cookie are still checked every single request to continue to authenticate the user.
Example (Part 3) ● The user enters their username, password, and MFA token into the login form and submits it. ● The server immediately checks that the IP address, the browser fingerprint, the cookie, and the XSRF token all match, and if they do, the user now has the virtual credential for “authorized form submission”.
Example (Part 4) ● Since the user has the “authorized form submission” credential, the server uses the username to request the per-user salt from the database. ● The server then uses the password and the per-user salt to get the calculated salted password hash.
Example (Part 5) ● The server then uses the username to request the stored salted password hash from the database. ● If the calculated salted password hash matches the stored salted password hash, then the user has the virtual credential for “first-factor authenticated”.
Example (Part 6) ● The server uses the username to request the MFA key from the database. ● The server uses the MFA key and the timestamp to calculate the expected MFA token. ● If the expected MFA token matches the MFA token supplied by the user, the user will have the virtual credential for “second-factor authenticated”.
Example (Part 7) ● Since the user has the “first-factor authenticated” and “second-factor authenticated” virtual credentials, the user now has the “multi-factor authenticated” virtual credential. ● The user can browse the site so long as the IP address, browser fingerprint, and cookie match, and as long the time since acquiring the “multi-factor authenticated” credential is less than 25 minutes.
Example (Part 8) ● Suppose the user is also a moderator. Then their name would be in the “moderators” group. ● Whenever the user goes to a part of the site that requires moderator priveleges, all that is necessary is for that part of the site to verify that the user has the “moderator” virtual credential, which it can do by checking that it has the “multi-factor authenticated” virtual credential and the “moderators group member” credential.
In Conclusion...
● It is important not to use terrible authentication systems.
● When using the ACL approach, do separate authentication and authorization.
Some stateful authentication credentials are standard practice now.
● In my opinion, complex authentication requirements would be better off without ACLs.
● I'm considering making a portable, extensible, lightweight implementation to be dropped in for simple web apps... any interest?
Questions?

Recommandé

Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 

Recommandé

Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41
 
Grid security
Grid securityGrid security
Grid securityjosephineusha
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
Access management
Access managementAccess management
Access managementVenkatesh Jambulingam
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkPaul Madsen
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Authentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanAuthentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanNawaf_alghamdi
 
A A A
A A AA A A
A A ACristian Vat
 

Contenu connexe

Tendances

Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkPaul Madsen
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 

Tendances (20)

Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWT
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...
 
Grid security
Grid securityGrid security
Grid security
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
 
Access management
Access managementAccess management
Access management
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 

En vedette

Authentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanAuthentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanNawaf_alghamdi
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...saidzaghloul
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)Sarah Conway
 
Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4Abrianto Nugraha
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 

En vedette (8)

Authentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanAuthentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-Sultan
 
A A A
A A AA A A
A A A
 
Security
SecuritySecurity
Security
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
 
Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 

Similaire à Authentication Concepts

Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokersFinalyear Projects
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarTeleport
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH AccessDevOps.com
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityGlobalSign
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QAFest
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
Rest Introduction (Chris Jimenez)
Rest Introduction (Chris Jimenez)Rest Introduction (Chris Jimenez)
Rest Introduction (Chris Jimenez)PiXeL16
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 

Similaire à Authentication Concepts (20)

Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokers
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
 
Symantec SSL Explained
Symantec SSL ExplainedSymantec SSL Explained
Symantec SSL Explained
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
Rest Introduction (Chris Jimenez)
Rest Introduction (Chris Jimenez)Rest Introduction (Chris Jimenez)
Rest Introduction (Chris Jimenez)
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 

Plus de Charles Southerland

Program Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime OrderProgram Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime OrderCharles Southerland
 
Program Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GFProgram Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GFCharles Southerland
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To UsCharles Southerland
 

Plus de Charles Southerland (11)

hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)
 
HTTPS Sucks
HTTPS SucksHTTPS Sucks
HTTPS Sucks
 
Linux Users are People, Too!
Linux Users are People, Too!Linux Users are People, Too!
Linux Users are People, Too!
 
RSA
RSARSA
RSA
 
Passwords
PasswordsPasswords
Passwords
 
Program Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime OrderProgram Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime Order
 
Program Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GFProgram Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GF
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And Backups
 
C Is Not Dead Yet
C Is Not Dead YetC Is Not Dead Yet
C Is Not Dead Yet
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 

Dernier

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Dernier (20)

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Authentication Concepts

  • 1. Authentication Concepts Charles Southerland Information Warfare ● Summit 7 October 1, 2014
  • 2. The Three “A”s ●Authentication ●Authorization ●Accounting / Audting
  • 3. Accounting / Auditing ● Log absolutely everything. ● Know what is in your logs. ● Protect your logs. ● See my IWS talk from last year.
  • 4. Accounting / Auditing ● Log absolutely everything. ● Know what is in your logs. ● Protect your logs. ● SHAMELESS PLUG: See my IWS talk from last year.
  • 5. Authorization ● Authorization is the process of determining and enforcing which privileges an authenticated entity has. ● Most people use Access Control Lists to keep track of which entities have which privileges
  • 6. Authentication != Authorization It is considered best practice to separate authentication from authorization so that authorization can be easily managed without fear of accidentally weakening the authentication system and vice versa. This is generally accomplished by keeping a username and password database used for authentication separate from the collection of access control lists used for authorization.
  • 7. Authentication Authentication is the process of verifying that entities truly are what they identify themselves as.
  • 8. Username-Only Systems ● Without authentication, anyone would be able to lie about their identity. ● There would be no accountability and no effective security.
  • 9. Password-Only Systems ● Unfortunately, a flawed authentication system can be about as bad as no authentication system at all.
  • 10. Most Authentication Systems ● The vast majority of authentication systems are based on a username and password. ● ANOTHER SHAMELESS PLUG: My IWS talk from 2011 has some suggestions on how to approach passwords.
  • 11. Password Storage ● As a password is only used for authentication, only a hash of the password must be stored, not the password itself. ● FINAL SHAMELESS PLUG: My IWS talk from 2012 covers how to deal with passwords correctly.
  • 12. Credentials More generally, authentication is accomplished through the verification of certain authentication credentials that an entity may have access to. Usernames and passwords are two common types of authentication credentials, but there are also other types of authentication credentials.
  • 13. API Tokens ● Another type of authentication credential is an API token, which generally allows a third-party application to access certain functionality programmatically. ● It may be an appropriate option in some cases,but it is awfully similar to the password-only system.
  • 14. OpenID / OAuth ● OpenID is a system that uses URLs from third-party websites as an authentication credential. ● OAuth is a system that allows the server to communicate with one of a few providers to obtain, among other things, authentication credentials for a user.
  • 15. Cookies ● A cookie is an authentication credential that is managed by the browser and automatically sent to the server with every request.
  • 16. Captcha ● A captcha is an authentication credential that tries to verify that a user is a human and not a program.
  • 17. Simple Browser Fingerprint ● A simple browser fingerprint (user agent string, some HTTP behavior) is often used as an authentication credential when cookies aren't available for some reason.
  • 18. Advanced Browser Fingerprint ● When simple browser fingerprinting is not enough, more advanced techniques are sometimes used. ● Sites can use a Flash cookie as an authentication credential. ● Recently there have been news articles about some sites which use canvas rendering behaviors as an authentication credential.
  • 19. IP Address ● A popular authentication credential with some administrators is the IP address of the computer attempting to authenticate.
  • 20. Client-Side SSL ● In my opinion, a client-side SSL certificate can make for a particularly good authentication credential in addition to providing improved transport security.
  • 21. Multi-Factor Token ● An increasingly popular authentication credential is a multi-factor authentication token. ● In addition to the iconic RSA key fobs and the increasingly popular RFC6238-based systems (like Google Authenticator), providers like Yubico, Toopher, Duo, and Transakt are having more mainstream adoption. ● Unfortunately, my own multi-factor system is still on the back-burner
  • 22. Stateful Credentials Some credentials have a specific relationship to the state of the client and/or server.
  • 23. XSRF Tokens ● Cross-site request forgery is a technique often used in phishing in order to perform actions and/or request data while authenticated using the stored browser cookie. ● An XSRF token is an authentication credential that is required for the next form submission to be accepted.
  • 24. Anonymous Cookies ● Nowadays, almost all websites will send the browser a cookie as soon as they connect so that they can begin tracking behavior as quickly as possible. ● When this cookie is first received, the only information associated with it is that the browser did not just arrive for the first time.
  • 25. Cookie Re-association ● Should the user log in, the state of this authentication credential will change from being associated with an anonymous browser to being an associated with an authenticated user.
  • 26. Partially De-authenticated Cookie As another example of a stateful authentication credential, if a user were accessing a website for some time after having authenticated, it may be permissable to continue to browse the site, but their cookie has changed state to the point where it will be necessary to re-authenticate before, e.g., purchasing an item or sending an email, whereas these actions would not have required re-authentication before the threshold had passed.
  • 27. Credential Dependencies ● In some cases, credentials can be thought of as depending on other pre-requisite credentials.
  • 28. Unsalted Password Hashes ● Even unsalted password hashes have dependencies: namely, the password. ● DON'T FORGET: If you use unsalted password hashes, you will be vulnerable to rainbow tables.
  • 29. Salted Password Hashes ● The salted password hash depends on having access to the password and the per-user salt (another authentication credential). ● Access to the per-user salt depends on having the username. ● You could even consider having access to the database credentials as yet another dependency.
  • 30. Typical Setup of Today ● An anonymous cookie is used from the beginning (in paywalls, the cookie even changes state). ● To login, the cookie is provided along with the XSRF token, the username, and the password. ● The username gets the salt, the salt and password get the hash, and if the hash matches and if the XSRF token corresponds to the cookie's, then the user is logged in.
  • 31. Multi-Credential Login ● In more secure systems, even more authentication credentials are required at the same time. ● It is not uncommon for some sites' login systems to depend on most of the following credentials simultaneously: a username, a password, a cookie, an XSRF token, a captcha, a multi-factor token, an IP address, a browser fingerprint, and a canvas fingerprint.
  • 32. Virtual Credentials ● It can be convenient to think of certain combinations of stateful credentials as being the dependencies for a kind of virtual credential. ● For example, whatever specific combination of those credentials can be thought of as the dependencies for the “logged in” credential.
  • 33. Region Blocking ● In some cases, specific IP address ranges can help to authenticate whether a user is in a particular geographic area. ● Hmm... some of these more complicated authentication concepts look like authorization, and that's bad, right?
  • 34. The Blurry Line Now consider a web app that allows you to behave as an end user once you've logged in, but in order to behave as an administrator, you must be logged in and come from a specific IP address. Is this authentication or authorization?
  • 35. Even Blurrier Now what if instead of coming from a specific IP address, you were required to use whatever multi-factor token you've set up? Especially given the notion of virtual credentials, couldn't authorization simply be a matter of authenticating some specific virtual credential with some specific set of credential dependencies?
  • 36. But You Said We Should Use ACLs! ● You could shoehorn some level of awareness of these authentication ideas into your ACLs. ● Unfortunately, that would likely make your ACLs nightmarishly complex, thus defeating the purpose of ACLs.
  • 37. Authorization as Virtual Credentials ● If we instead look at authorization as nothing more than virtual credentials, then access to resources would simply be a matter of authenticating these virtual credentials. ● The equivalent function of ACLs would then be encoded in the dependencies of virtual credentials and group membership.
  • 38. Example (Part 1) A user goes to a website, where they are given a cookie. The recorded IP address, the browser fingerprint, and the cookie now give them the virtual credential of “anonymous user”. This virtual credential authorizes them to access various pages on the website.
  • 39. Example (Part 2) ● The user then goes to the login page, where they are given an XSRF token that will be associated with their cookie. ● The IP address, the browser fingerprint, and (obviously) the cookie are still checked every single request to continue to authenticate the user.
  • 40. Example (Part 3) ● The user enters their username, password, and MFA token into the login form and submits it. ● The server immediately checks that the IP address, the browser fingerprint, the cookie, and the XSRF token all match, and if they do, the user now has the virtual credential for “authorized form submission”.
  • 41. Example (Part 4) ● Since the user has the “authorized form submission” credential, the server uses the username to request the per-user salt from the database. ● The server then uses the password and the per-user salt to get the calculated salted password hash.
  • 42. Example (Part 5) ● The server then uses the username to request the stored salted password hash from the database. ● If the calculated salted password hash matches the stored salted password hash, then the user has the virtual credential for “first-factor authenticated”.
  • 43. Example (Part 6) ● The server uses the username to request the MFA key from the database. ● The server uses the MFA key and the timestamp to calculate the expected MFA token. ● If the expected MFA token matches the MFA token supplied by the user, the user will have the virtual credential for “second-factor authenticated”.
  • 44. Example (Part 7) ● Since the user has the “first-factor authenticated” and “second-factor authenticated” virtual credentials, the user now has the “multi-factor authenticated” virtual credential. ● The user can browse the site so long as the IP address, browser fingerprint, and cookie match, and as long the time since acquiring the “multi-factor authenticated” credential is less than 25 minutes.
  • 45. Example (Part 8) ● Suppose the user is also a moderator. Then their name would be in the “moderators” group. ● Whenever the user goes to a part of the site that requires moderator priveleges, all that is necessary is for that part of the site to verify that the user has the “moderator” virtual credential, which it can do by checking that it has the “multi-factor authenticated” virtual credential and the “moderators group member” credential.
  • 47. ● It is important not to use terrible authentication systems.
  • 48. ● When using the ACL approach, do separate authentication and authorization.
  • 49. Some stateful authentication credentials are standard practice now.
  • 50. ● In my opinion, complex authentication requirements would be better off without ACLs.
  • 51. ● I'm considering making a portable, extensible, lightweight implementation to be dropped in for simple web apps... any interest?