Authentication CHAPTER 17
Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance to a computer lab getting past the bouncer at the bar logging into your web application
Authentication Factors Authentication factors are the things you can ask someone for in an effort to validate that they are who they claim to be.
Authentication Factors the things you can ask someone for Knowledge factors are the things you know Passwords, PIN, Challenge Question Ownership factors are the things that you possess Key, FOB, Card, Mobile Phone Inherence factors are the things you are Fingerprint, signature, DNA, gait
Single Factor Authentication Single-factor authentication is the weakest and most common category of authentication system where you ask for only one of the three factors. Know a password Posses an access card Fingerprint access on your mobile phone When better authentication confidence is required, more than one authentication factor should be considered
Multi Factor Authentication Multifactor authentication is where two distinct factors of authentication must pass before you are granted access. The way we all access an ATM machine is an example of two-factor authentication: you must have both the knowledge factor (PIN) and the ownership factor(card) Multifactor authentication is becoming prevalent in consumer products as well: your cell phone is used as the ownership factor alongside your pin as a knowledge factor.
Authentication for Websites Form-based Allows the developer to code a login form that gets the username and password. Allows the developer to only request the username and password once per session. This is the most common type of authentication Digest and Basic Authentication are browser-based dialog boxes to get the username and password (not widely used)
Third Party Authentication Let someone else worry about it Many popular services allow you to use their system to authenticate the user and provide you with enough data to manage your application. Third-party authentication schemes like OpenID and oauth are popular with developers and are used under the hood by many major websites including Amazon, Facebook, Microsoft, and Twitter, to name but a few.
OAuth 3 rd party Authentication requires some effort OAuth uses four user roles The resource owner is normally the end user who can gain access to the resource (though it can be a computer as well). The resource server hosts the resources and can process requests using access tokens. The client is the application making requests on behalf of the resource owner. The authorization server issues tokens to the client upon successful authentication of the resource owner. Often this is the same as the resource server.
OAuth
Authorization Not the same as authentication Authorization defines what rights and privileges a user has once they are authenticated. Authentication grants access vs Authorization defines what the user with access can (and cannot) do. The principle of least privilege is a helpful rule of thumb that tells you to give users and software only the privileges required to accomplish their work.
Back to Form-Based Authentication In general: Encryption means two-way encoding with a public or private key Hashing means one-way encoding (can't be decoded) Best practice is to store passwords in the database in hashed form so that if the database is breached, passwords aren't easily read. MD5 and SHA1 are older hashing algorithms which have been found to have flaws SHA256, SHA512 are newer and stronger (the number refers to the length of the hash produced.) PHP has a hash() function which can be used as follows: $password = hash("sha256", $password);
Using Salts for Added Security Passwords can be made even more secure by adding some random value to the password string before hashing it. There are several ways to do this: 1. Generate a random number and concatenate the password with it before hashing (the salt must then be stored.) 2. Concatenate another field, say users email, with the password before hashing. As long as the comparison string is concatenated and hashed, the algorithm will generate the same hashed string.
BCrypt The slower a hashing algorithm works, the harder it is for hackers' automated cracking attempts to work. But, it can't be so slow that it becomes impractical to use. Bcrypt is based on a symmetric block cipher called Blowfish. We can make the algorithm work n times slower than it normally would by manipulating the cost factor (the 2-digit number following the second $ in the salt.)
Others PBKDF2 : Password-Based Key Derivation Function 2 Designed to be a key-stretching function but is suitable for password storage scrypt() : Relatively new (2012) Designed to ensure better security than its predecessor bcrypt()
Too Many Choices As of PHP 5.5, there is a password_hash() function which allows PHP to select the most trusted password hashing algorithm available without having to modify your code! The default uses the bcrypt algorithm and a randomly generated salt (The salt option has been deprecated in PHP 7.0, so it is preferable to start using the salt generated by default.) Because the default algorithm is meant to change over time, it is recommended that varchar(255) be used to store passwords (even though the current length only requires 60 characters.)
Secure Authentication Authentication is the process of determining whether a server or client is who and what it claims to be. When a browser makes an initial attempt to communicate with a server over a secure connection, the server authenticates itself by providing a digital secure certificate. If the digital secure certificate is registered with the browser, the browsers won t display the certificate by default. However, the user still has the option to view the certificate. In some rare cases, the server may request that a client authenticate itself by presenting its own digital secure certificate.
HTTPS Secure HTTP HTTPS is the HTTP protocol running on top of the Transport Layer Security (TLS). It s easy to see from a client s perspective that a site is secured by the little padlock icons in the URL bar used by most modern browsers
HTTPS Secure Handshakes
A Digital Secure Certificate
HTTPS Certificate Authorities A Certificate Authority (CA) allows users to place their trust in the certificate since a trusted, independent third party signs it.
Certificate Authorities A W3Techs survey from May 2015 SSL Strengths Refers to the length of the generated key that is created during encryption Stronger security costs more 40-bit 56-bit 128-bit (typical SSL strength for collecting personal information) 256-bit
HTTPS Self-Signed Certificates Self-signed certificates provide the same level of encryption, but the validity of the server is not confirmed.
Using HTTPS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client through a secure connection Transport Layer Security (TLS) A newer protocol for transferring data via a secure connection. Often referred to as SSL Secure connection The browser encrypts data being sent to the server and the server then decrypts it The server encrypts data being sent to the browser and the browser then decrypts it
URLs for Secure Connections Request a secure connection: https://webdev.cislabs.uncw.edu Return to a regular connection http://webdev.cislabs.uncw.edu Requests must be full URLs
Redirection The server initiates a request from the browser to another URL The header function with the Location: string header('location:.'); // the current directory header('location:..'); // up one directory header('location:./admin'); // down one directory header('location: error.php'); header('location: https://webdev.cislabs.uncw.edu/~abc123');
The $_SERVER Array Examples of URI references: https://example.org/absolute/uri/with/absolute/path/to/resource.txt //example.org/scheme-relative/uri/with/absolute/path/to/resource.txt /relative/uri/with/absolute/path/to/resource.txt relative/path/to/resource.txt../../../resource.txt
The $_SERVER Array $_SERVER['HTTP_HOST']=webdev.cislabs.uncw.edu $_SERVER['REQUEST_URI']=/~abc1234/file.php A utility file to build an absolute URL using the $_SERVER array: <?php // make sure the page uses a secure connection $https = filter_input(input_server, 'HTTPS'); if (!$https) { $host = filter_input(input_server, 'HTTP_HOST'); $uri = filter_input(input_server, 'REQUEST_URI'); $url = 'https://'. $host. $uri; header("location: ". $url); exit(); }?>
Requiring a Secure Connection require_once 'secure_conn.php'; Use on any pages that contain sensitive information
Reverting to HTTP require_once 'reg_conn.php'; After a user has logged out for example
Next Steps: CHAPTER 9 LOGIN/LOGOUT COOKIES AND SESSIONS
The Remaining Slides Contain Additional Information about Cryptography IN CASE YOU ARE INTERESTED...
Cryptography Secret Messages Being able to send a secure message has been an important tool in warfare and affairs of state for centuries. At a basic level we are trying to get a message from one actor (we will call her Alice), to another (Bob), without an eavesdropper (Eve) intercepting the message. Since a single packet of data is routed through any number of intermediate locations on its way to the destination, getting your data (and passwords) is as simple as reading the data during one of the hops unless you use cryptography.
Cryptography The problem
Cryptography The goal
Cryptography Some key terms A cipher is a message that is scrambled so that it cannot easily be read, unless one has some secret key. The key can be a number, a phrase, or a page from a book. What is important in both ancient and modern cryptography is to keep the key a secret between the sender and the receiver.
Cryptography Substitution ciphers A substitution cipher is one where each character of the original message is replaced with another character according to the encryption algorithm and key. Caesar Vigenère One Time Pad Modern Block Ciphers
Caesar Substitution ciphers The Caesar cipher, named for and used by the Roman Emperor, is a substitution cipher where every letter of a message is replaced with another letter, by shifting the alphabet over an agreed number (from 1 to 25). The message HELLO, for example, becomes KHOOR when a shift value of 3 is used
The problem with lousy ciphers Letter distribution is not flat The frequency of letters (and sets of two and three letters) is well known If you noticed the letter J occurring most frequently, it might well be the letter E
The problem with lousy ciphers Letter distribution is not flat Any good cipher must therefore try to make the resulting cipher text letter distribution relatively flat so as to remove any trace of the telltale pattern of letter distributions. Simply swapping one letter for another does not do that, necessitating other techniques.
Vigenère Early attempt to flatten letter distribution of ciphers The Vigenère cipher, named for the sixteenth-century cryptographer, uses a keyword to encode a message. The key phrase is written below the message and the letters are added together to form the cipher text as illustrated
One Time Pad Vigenère with an infinitely long key The one-time pad refers to a perfect technique of cryptography where Alice and Bob both have identical copies of a very long sheet of numbers, randomly created Claude Shannon famously proved that the one-time pad is impossible to crack However, it is impractical to implement on a large scale and remains a theoretical benchmark that is rarely applied in practice.
Modern Block Ciphers Ciphers in the computer age Block ciphers encrypt and decrypt messages using an iterative replacing of a message with another scrambled message using 64 or 128 bits at a time. The Data Encryption Standard (DES) and its replacement, The Advanced Encryption Standard (AES) are two-block ciphers still used in web encryption today.
DES illustration Pretty simple, no?
Symmetric Key Problem How to exchange the key? All of the ciphers we have covered thus far use the same key to encode and decode, so we call them symmetric ciphers. The problem is that we have to have a shared private key. How? Over the phone? In an email? Through the regular mail? In person?
Public Key Cryptography Solves the problem of key exchange Public key cryptography (or asymmetric cryptography) solves the problem of the secret key by using two distinct keys: a public one, widely distributed another one, kept private Algorithms like the Diffie-Hellman key exchange allow a shared secret to be created out in the open, despite the presence of an eavesdropper
A Good Explanation of Public Key Encryption https://youtu.be/e5feqgyll0o
Digital Signatures Confirming the sender is authentic A digital signature is a mathematically secure way of validating that a particular digital document was created by the person claiming to create it (authenticity), Was not modified in transit (integrity), and cannot be denied (non-repudiation).
Digital Signatures Confirming the sender is authentic A digital signature is a mathematically secure way of validating that a particular digital document was created by the person claiming to create it (authenticity), Was not modified in transit (integrity), and cannot be denied (non-repudiation). The process of signing a digital document can be as simple as encrypting a hash of the transmitted message.
Digital Signatures Confirming the sender is authentic
The End