Security

1 minute read

Security Assertion Markup Language (SAML) make SSO possible

Verification

  • Captcha
  • SSL/TLS
  • Encryption Algorithm
    • ECC (Elliptic Curve Cryptography)
    • RSA
    • Diffie-Hellmon

Digital Rights Management

  • Fairplay

Authentication

Token based

The server generates a token (using public-private keys), after verifying userid/password

  • The token contains information about the user’s permissions
  • cant save from replay attacks if the token is left on a public browser

The private key is a secret number known only to the server, while the public key is shared with others.

The public key can be used to decrypt the token and retrieve the authorization details.

Limitation. It does not protect against replay attacks or token theft (taking tokens from postman or the web developer tools)

Despite the limitations, token-based authentication is widely used due to its simplicity and efficiency.

  • By including a time-oo-live (TTL) in the token, its validity can be controlled, and logging out will render it unusable.

SSO - Single Sign-On

SAML Protocol (token generation is moved to external service)

  • The user’s credentials are checked by the external service, which then sends a token to the server.
  • The server can decrypt the token and verify the user’s permissions.

OAuth (MAjorly for Authorization )

OAuth is widely used for authentication, even though it is originally designed for authorization

  • It involves integrating external services, such as Google or GitHub, with a server.
  • The user is prompted to give permissions to the server, allowing it to access certain information from the external service, such as the user’s name or profile photo. OAuth tokens are generated, and the server can use them for authentication purposes.
  • OAuth is widely used for
  • Opposite or SSO, Authorization on external systemns

Authorization

Access Control Lists (ACL)

Lists that define the actions that can be performed on objects. ACLs are grouped together to form the access control matrix of the system.

  • User-based
  • Role-based
  • resource-based
  • group-based

Rule Engine (Leasing)

a set of rules to determine whether a user or resource has permission to perform an action

  • Secret Keys/Client Keys

Access Control List

  1. User based
  2. Role based
  3. Resource Based
  4. Group based

Object Based Group based

Protection

  • Hackers - DDOS Attacks, WAF
  • Verification
  • VPN
  • Malicious code protection

You may also enjoy