SlideShare uma empresa Scribd logo

Web authentication

Transferir como PPT, PDF
P
Pradeep J V
Educação
1 de 24
Web Authentication By Pradeep J.V 1
Web Authentication • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Authentication is accomplished by: – Something the user knows • e.g., password, PIN, pattern – Something the user has • e.g., ATM card, smart card – Something the user is • e.g., biometric characteristic, such as a fingerprint. 2
Password Authentication • It is based on “something the user knows”. • Advantages: – Passwords require no special software on the users' computer – Passwords authenticate the user directly because only the user knows the password. 3
Password Authentication • Drawbacks: – Users can't remember strong passwords, so they write them down. – When passwords are forgotten, the password must be recovered, which is either expensive or insecure. – Users can share passwords. Revenue is lost when multiple users share an account. – An administrator can discover the password and use it to masquerade as the user. – The user must have a unique password for each site. 4
Biometric Authentication • Authenticates a user through a unique physical characteristic. • Typically biometrics used are fingerprints, voice, face, typing pattern, etc. 5
Biometrics • Advantages: – Biometrics directly authenticates the person, not indirectly through a password or token. – Biometrics features are difficult to steal; thereby making biometric authentication very strong. • Drawbacks: – User's computer must include the appropriate biometric sensor and software. Reliable sensors are expensive. – False positives(wrongly accepting an invalid user) and false-negatives (denying a valid user). 6
Token based authentication • Authentication through “something the user has”. • Example of a hardware/software token is RSA SecureID. 7
Tokens • Advantages: – Tokens prevent a thief with a stolen password from accessing the web site. – Tokens prevent accounts from being shared since the token must be duplicated. – Tokens require no special software on the user's computer. • Drawbacks: – Tokens are expensive and must be replaced or refurbished every few years. – A lost token prevents a valid user from accessing the web site, which disrupts business or commerce. – Tokens are inconvenient since the user must manually enter the value of the token as well as the password. 8
PKI - Public Key Infrastructure • PKI is a specific implementation of asymmetric cryptography. • Relies on the use of digital certificates that are issued by certificate authorities as a means to bind a user to an assigned key pair. • A public key.   This is something that you make public - it is freely distributed and can be seen by all users. • A corresponding (and unique) private key.   This is something that you keep secret - it is not shared amongst users. 9
Data encryption using PKI 10
Digital signature using PKI 11
Key management in PKI 12
Key management in PKI (contd) 13
HTTPS • Most popular usage example of PKI is the HTTPS (Hypertext Transfer Protocol Secure) protocol. 14
Public Key Infrastructure • Advantages: – Every modern browser has the built-in capability for public key authentication. – Public key authentication can be automatic and even transparent to users. – Public key authentication is much stronger than passwords, because the authentication “secret” is stronger and is not shared with web sites. – A single certificate can be used for many web sites, since the “secret” is not shared. 15
Public Key Infrastructure • Drawbacks: – The complexity of the infrastructure: • The PKI model requires that the digital certificate binds the proofed identity of the user to the value of the user's public key. This seemingly simple requirement generates a great deal of Complexity: how is the identity proofed, who does the proofing, what are the liabilities if the identity proofing is wrong? – The PKI model focuses on identity and does not address the authorization 16
LDAP – Lightweight Directory Access Protocol • The Lightweight Directory Access Protocol is a protocol for querying and modifying directory running over TCP/IP. • It is not a directory, a database or an information repository. – It is a protocol to access directory services. • Single Sign On systems mostly use LDAP authentication. – User is authenticated at site1; then accesses a resource at site2 • Drawbacks – Web is loosely coupled, consisting of many security domains. SAML is a standard that governs the transfer of assertions between domains. 17
LDAP – Lightweight Directory Access Protocol 18 • Client requests to bind to server. • Server accepts/denies bind request. • Client sends search request. • Server returns zero or more directory entries. • Server sends result code with any errors. • Client sends an unbind request. • Server sends result code and closes socket.
OAuth – Open Authentication • A simple open standard for secure API authentication. • An authenticating protocol that allows internet users to approve an application to act on their behalf without the need for the user to share their password with the application. • In OAuth the service provider issues tokens and it involves the exchange of tokens/keys and signing of requests thus making it a secure protocol. 19
OAuth 20
OAuth Advantages: •You don't have to create another profile on the net. •Fewer passwords to remember. •Do not have to submit a password to your application if user does not completely trust us. •User can prevent access to the application from the OAuth provider. Drawbacks: •User can not tailor the profile for your application (would require additional development). •Can be a bit confusing for the user having to create an account with OAuth providers if he / she does not have an account there already. 21
References MSDN Security Development Center - http://msdn.microsoft.com/en-us/security/aa570330.aspx Authentication - http://www.authenticationworld.com/index.php PKI - http://pst.libre.lu/mssi-luxmbg/p3/01_base-lex-art.html LDAP – http://directory.apache.org/api/five-minutes- tutorial.html OAuth - http://oauth.net/about/ 22
QUESTIONS ? 23
THANK YOU 24

Recomendados

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
ForgeRock Identity Tech Talks
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
CloudIDSummit
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
Christopher Thant
 

Recomendados

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
ForgeRock Identity Tech Talks
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
CloudIDSummit
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
Christopher Thant
 
SolusDeck
SolusDeckSolusDeck
SolusDeck
andreeabrodo
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
Ismaeel Enjreny
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
Ismaeel Enjreny
 
Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)
Radu Vunvulea
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
Bram van Pelt
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
Getting value from IoT, Integration and Data Analytics
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
Option3
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
Nikhil Shaw
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Mobiloitte Technologies
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
Bjorn Hjelm
 
BlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewBlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overview
Pad Kankipati
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to Solus
Solus
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
Andreas Leicher
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
MikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OpenIDFoundation
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demand
pjpallen
 
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_Ugly
Steve Markey
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
Alexandru Pasaila
 

Mais conteúdo relacionado

Mais procurados

Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)
Radu Vunvulea
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demand
pjpallen
 

Mais procurados (20)

SolusDeck
SolusDeckSolusDeck
SolusDeck
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
 
Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)Real time fluent communication using SignalR and Cloud (Windows Azure)
Real time fluent communication using SignalR and Cloud (Windows Azure)
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor Authentication
 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
 
BlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overviewBlockchainConf.tech - Hyperledger overview
BlockchainConf.tech - Hyperledger overview
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to Solus
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
 
Signify Passcode On Demand
Signify Passcode On DemandSignify Passcode On Demand
Signify Passcode On Demand
 
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
WSO2Con USA 2017: Multi-tenanted, Role-based Identity & Access Management sol...
 
SSO_Good_Bad_Ugly
SSO_Good_Bad_UglySSO_Good_Bad_Ugly
SSO_Good_Bad_Ugly
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 

Destaque

Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
Alexandru Pasaila
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
ejlp12
 

Destaque (12)

Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 

Semelhante a Web authentication

Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
David Waite
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
Zend server 6 compliance
Zend server 6 complianceZend server 6 compliance
Zend server 6 compliance
Yonni Mendes
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
Mentalist Akram
 

Semelhante a Web authentication (20)

Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Introduction to Web Security
Introduction to Web SecurityIntroduction to Web Security
Introduction to Web Security
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
Blockchain and Cybersecurity
Blockchain and Cybersecurity Blockchain and Cybersecurity
Blockchain and Cybersecurity
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in Bangladesh
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
 
Zend server 6 compliance
Zend server 6 complianceZend server 6 compliance
Zend server 6 compliance
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Threats
ThreatsThreats
Threats
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
 

Último

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Último (20)

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 

Web authentication

  • 2. Web Authentication • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Authentication is accomplished by: – Something the user knows • e.g., password, PIN, pattern – Something the user has • e.g., ATM card, smart card – Something the user is • e.g., biometric characteristic, such as a fingerprint. 2
  • 3. Password Authentication • It is based on “something the user knows”. • Advantages: – Passwords require no special software on the users' computer – Passwords authenticate the user directly because only the user knows the password. 3
  • 4. Password Authentication • Drawbacks: – Users can't remember strong passwords, so they write them down. – When passwords are forgotten, the password must be recovered, which is either expensive or insecure. – Users can share passwords. Revenue is lost when multiple users share an account. – An administrator can discover the password and use it to masquerade as the user. – The user must have a unique password for each site. 4
  • 5. Biometric Authentication • Authenticates a user through a unique physical characteristic. • Typically biometrics used are fingerprints, voice, face, typing pattern, etc. 5
  • 6. Biometrics • Advantages: – Biometrics directly authenticates the person, not indirectly through a password or token. – Biometrics features are difficult to steal; thereby making biometric authentication very strong. • Drawbacks: – User's computer must include the appropriate biometric sensor and software. Reliable sensors are expensive. – False positives(wrongly accepting an invalid user) and false-negatives (denying a valid user). 6
  • 7. Token based authentication • Authentication through “something the user has”. • Example of a hardware/software token is RSA SecureID. 7
  • 8. Tokens • Advantages: – Tokens prevent a thief with a stolen password from accessing the web site. – Tokens prevent accounts from being shared since the token must be duplicated. – Tokens require no special software on the user's computer. • Drawbacks: – Tokens are expensive and must be replaced or refurbished every few years. – A lost token prevents a valid user from accessing the web site, which disrupts business or commerce. – Tokens are inconvenient since the user must manually enter the value of the token as well as the password. 8
  • 9. PKI - Public Key Infrastructure • PKI is a specific implementation of asymmetric cryptography. • Relies on the use of digital certificates that are issued by certificate authorities as a means to bind a user to an assigned key pair. • A public key.   This is something that you make public - it is freely distributed and can be seen by all users. • A corresponding (and unique) private key.   This is something that you keep secret - it is not shared amongst users. 9
  • 13. Key management in PKI (contd) 13
  • 14. HTTPS • Most popular usage example of PKI is the HTTPS (Hypertext Transfer Protocol Secure) protocol. 14
  • 15. Public Key Infrastructure • Advantages: – Every modern browser has the built-in capability for public key authentication. – Public key authentication can be automatic and even transparent to users. – Public key authentication is much stronger than passwords, because the authentication “secret” is stronger and is not shared with web sites. – A single certificate can be used for many web sites, since the “secret” is not shared. 15
  • 16. Public Key Infrastructure • Drawbacks: – The complexity of the infrastructure: • The PKI model requires that the digital certificate binds the proofed identity of the user to the value of the user's public key. This seemingly simple requirement generates a great deal of Complexity: how is the identity proofed, who does the proofing, what are the liabilities if the identity proofing is wrong? – The PKI model focuses on identity and does not address the authorization 16
  • 17. LDAP – Lightweight Directory Access Protocol • The Lightweight Directory Access Protocol is a protocol for querying and modifying directory running over TCP/IP. • It is not a directory, a database or an information repository. – It is a protocol to access directory services. • Single Sign On systems mostly use LDAP authentication. – User is authenticated at site1; then accesses a resource at site2 • Drawbacks – Web is loosely coupled, consisting of many security domains. SAML is a standard that governs the transfer of assertions between domains. 17
  • 18. LDAP – Lightweight Directory Access Protocol 18 • Client requests to bind to server. • Server accepts/denies bind request. • Client sends search request. • Server returns zero or more directory entries. • Server sends result code with any errors. • Client sends an unbind request. • Server sends result code and closes socket.
  • 19. OAuth – Open Authentication • A simple open standard for secure API authentication. • An authenticating protocol that allows internet users to approve an application to act on their behalf without the need for the user to share their password with the application. • In OAuth the service provider issues tokens and it involves the exchange of tokens/keys and signing of requests thus making it a secure protocol. 19
  • 21. OAuth Advantages: •You don't have to create another profile on the net. •Fewer passwords to remember. •Do not have to submit a password to your application if user does not completely trust us. •User can prevent access to the application from the OAuth provider. Drawbacks: •User can not tailor the profile for your application (would require additional development). •Can be a bit confusing for the user having to create an account with OAuth providers if he / she does not have an account there already. 21
  • 22. References MSDN Security Development Center - http://msdn.microsoft.com/en-us/security/aa570330.aspx Authentication - http://www.authenticationworld.com/index.php PKI - http://pst.libre.lu/mssi-luxmbg/p3/01_base-lex-art.html LDAP – http://directory.apache.org/api/five-minutes- tutorial.html OAuth - http://oauth.net/about/ 22

Notas do Editor

  1. 1. Installing CA (Certificate Authority) root certificate - The browser vendor receives the CA root certificate from the CA; and distributes it as part of the browser installation package. 2. Signing Web server certificate - The Web server owner sends the certificate request to the CA. The CA, acting as the RA (Registration Authority), verifies the Web server identity. Then the CA signs (or issues) the Web server's certificate. 3. Validating Web server certificate - When you use the browser to visit the Web server, the browser, acting as the VA (Validation Authority), receives the Web server's certificate and validates it against the CA root certificate. If the browser finds no issue in the server certificate, it starts to use the public key embedded in the server certificate to secure the communication with the server.