SlideShare una empresa de Scribd logo

Web authentication & authorization

Descargar como PPTX, PDF
Alexandru Pasaila
Alexandru Pasaila
Tecnología
1 de 19
WEB AUTHENTICATION & AUTHORIZATION
INTRODUCTION
INTRODUCTION  The nature of today’s web threats is changing, current attacks are much more covert than they were in the past.  Despite the growing array of threats, many organizations are not taking appropriate steps to safeguard their corporate networks, applications or data.  As the number of online services are increasing day by day, their usage is also increasing in the same ratio.  Users of online services have to register separately to each application and the overhead of remembering many ID/Password pairs has led to the problem of memorability.
INTRODUCTION  Authentication is a direct need of each and every organization and so it is becoming paramount for an organization not because it copes with security threats only but for the reason it deals with and develops policies, procedures and mechanisms that provide administrative, physical and logical security.  Whenever an individual requests an access to a pool of resources, to use them or update them as desired, then to authenticate such an individual is referred to as authentication.
INTRODUCTION  In networked environment, users are granted access to the network only when they provide their access information (e.g. user name & password) securely to check and validate their identity.  If a person can prove that who he is, also knows something that only he could knows, it is reasonable to think that a person is he who claims to be.
AUTHENTICATION TECHNOLOGIES
AUTHENTICATION TECHNOLOGIES  Computer industry has created an array of identification and authentication technologies:  userID/Passwords  One Time Password  Kerberos  Secure Socket Layer  Lightweight Directory Access Protocol  Security Assertion Markup Language(SAML)  OpenID. * The technologies are detailed on blog articles!
AUTHENTICATION ATTACKS
BRUTE FORCE ATTACK  It is an automated process of trial and error used to guess a person’s user name, password, credit card number or cryptographic key.  Examples:  Usernames: John, Admin;  Passwords: 12345, password, letmein, admin, (pet names);
INSUFFICIENT AUTHENTICATION  This type of attack occurs when a website permits an attacker to access sensitive content or functionality without having to properly authenticate. Web based administration tools are a good example of web site providing access to sensitive functionality.
WEAK PASSWORD RECOVERY VALIDATION  A website is considered to have Password Recovery Validation when an attacker is able to foil the recovery mechanism being used.  Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses or easily guessed secret questions.
WEAK PASSWORD RECOVERY VALIDATION  Weak methods of Password Recovery:  Password Hints: Password hint aids Brute Force attacks. An attacker can glean about user’s password from the hint provided.  Secret Question and Answer: A secret question like “Where were you born?” helps an attacker to limit a secret answer Brute Force Attack to city names.
AUTHENTICATION TECHNIQUES AND INFRASTRUCTURES
PLUGGABLE AUTHENTICATION MODULES (PAM)  Instead of having applications handle authentication on their own, they can use the PAM API and libraries to take care of the details.  Consistency is achieved when many applications perform the same authentication by referencing the same PAM module.  Additionally, applications needn’t be recompiled to change their authentication behavior: just edit a PAM configuration file(transparent to the application) and you’re done.
SECURE SOCKETS LAYER (SSL)  It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication.  Linux includes a popular implementation of SSL, called OpenSSL.
WEB AUTHENTICATION STANDARDS
SINGLE SIGN-ON  Single sign-on allows a user to enter a username and password only once and have access to multiple applications and environments within a session.  Single sign-on uses centralized authentication servers which all applications and systems use for authentication.
OAUTH  Open Authentication (OAuth ) aims at creating an environment where information is shared securely across networks.  Each thread, which includes devices, applications and users, is constantly authenticated and is all- pervasive.  OAuth is a service that is complementary to, but distinct from, OpenID.
OPENID  OpenID is a standard that simplifies signing in.  With OpenID you only use one username and one password to log in to all websites where you have an account.  It offers a secure way of identifying yourself on the Internet.  Used by: Google, Flickr, Yahoo, MySpace,WordPress

Recomendados

Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
Sourav Roy
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Proxy servers
Proxy serversProxy servers
Proxy servers
Kumar
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 

Recomendados

Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
Sourav Roy
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Proxy servers
Proxy serversProxy servers
Proxy servers
Kumar
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Proxy Servers & Firewalls
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
Mehdi Poustchi Amin
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
Https
HttpsHttps
Https
Pooya Sagharchiha
 
Proxy Server
Proxy ServerProxy Server
Proxy Server
guest095022
 
Domain name system
Domain name systemDomain name system
Domain name system
Siddique Ibrahim
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)
Gurjot Singh
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
sanjoysanyal
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Web services
Web servicesWeb services
Web services
Akshay Ballarpure
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
Aniruddh Bhilvare
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
 
Web authentication
Web authenticationWeb authentication
Web authentication
Pradeep J V
 

Más contenido relacionado

La actualidad más candente

Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 

La actualidad más candente (20)

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Proxy Servers & Firewalls
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
 
Web security
Web securityWeb security
Web security
 
Web Security
Web SecurityWeb Security
Web Security
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Https
HttpsHttps
Https
 
Proxy Server
Proxy ServerProxy Server
Proxy Server
 
Domain name system
Domain name systemDomain name system
Domain name system
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
Web services
Web servicesWeb services
Web services
 
Sql injection
Sql injectionSql injection
Sql injection
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 

Destacado

Web authentication
Web authenticationWeb authentication
Web authentication
Pradeep J V
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
ejlp12
 

Destacado (12)

Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 

Similar a Web authentication & authorization

An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
Conference Papers
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
Conference Papers
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 

Similar a Web authentication & authorization (20)

Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect Design
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
 
Week Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxWeek Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptx
 
76 s201923
76 s20192376 s201923
76 s201923
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
C02
C02C02
C02
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Risk-based Authentication In Cloud | Sysfore
Risk-based Authentication In Cloud | SysforeRisk-based Authentication In Cloud | Sysfore
Risk-based Authentication In Cloud | Sysfore
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
8 i internet_security
8 i internet_security8 i internet_security
8 i internet_security
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
AbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptxAbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptx
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Web authentication & authorization

  • 3. INTRODUCTION  The nature of today’s web threats is changing, current attacks are much more covert than they were in the past.  Despite the growing array of threats, many organizations are not taking appropriate steps to safeguard their corporate networks, applications or data.  As the number of online services are increasing day by day, their usage is also increasing in the same ratio.  Users of online services have to register separately to each application and the overhead of remembering many ID/Password pairs has led to the problem of memorability.
  • 4. INTRODUCTION  Authentication is a direct need of each and every organization and so it is becoming paramount for an organization not because it copes with security threats only but for the reason it deals with and develops policies, procedures and mechanisms that provide administrative, physical and logical security.  Whenever an individual requests an access to a pool of resources, to use them or update them as desired, then to authenticate such an individual is referred to as authentication.
  • 5. INTRODUCTION  In networked environment, users are granted access to the network only when they provide their access information (e.g. user name & password) securely to check and validate their identity.  If a person can prove that who he is, also knows something that only he could knows, it is reasonable to think that a person is he who claims to be.
  • 7. AUTHENTICATION TECHNOLOGIES  Computer industry has created an array of identification and authentication technologies:  userID/Passwords  One Time Password  Kerberos  Secure Socket Layer  Lightweight Directory Access Protocol  Security Assertion Markup Language(SAML)  OpenID. * The technologies are detailed on blog articles!
  • 9. BRUTE FORCE ATTACK  It is an automated process of trial and error used to guess a person’s user name, password, credit card number or cryptographic key.  Examples:  Usernames: John, Admin;  Passwords: 12345, password, letmein, admin, (pet names);
  • 10. INSUFFICIENT AUTHENTICATION  This type of attack occurs when a website permits an attacker to access sensitive content or functionality without having to properly authenticate. Web based administration tools are a good example of web site providing access to sensitive functionality.
  • 11. WEAK PASSWORD RECOVERY VALIDATION  A website is considered to have Password Recovery Validation when an attacker is able to foil the recovery mechanism being used.  Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses or easily guessed secret questions.
  • 12. WEAK PASSWORD RECOVERY VALIDATION  Weak methods of Password Recovery:  Password Hints: Password hint aids Brute Force attacks. An attacker can glean about user’s password from the hint provided.  Secret Question and Answer: A secret question like “Where were you born?” helps an attacker to limit a secret answer Brute Force Attack to city names.
  • 13. AUTHENTICATION TECHNIQUES AND INFRASTRUCTURES
  • 14. PLUGGABLE AUTHENTICATION MODULES (PAM)  Instead of having applications handle authentication on their own, they can use the PAM API and libraries to take care of the details.  Consistency is achieved when many applications perform the same authentication by referencing the same PAM module.  Additionally, applications needn’t be recompiled to change their authentication behavior: just edit a PAM configuration file(transparent to the application) and you’re done.
  • 15. SECURE SOCKETS LAYER (SSL)  It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication.  Linux includes a popular implementation of SSL, called OpenSSL.
  • 16. WEB AUTHENTICATION STANDARDS
  • 17. SINGLE SIGN-ON  Single sign-on allows a user to enter a username and password only once and have access to multiple applications and environments within a session.  Single sign-on uses centralized authentication servers which all applications and systems use for authentication.
  • 18. OAUTH  Open Authentication (OAuth ) aims at creating an environment where information is shared securely across networks.  Each thread, which includes devices, applications and users, is constantly authenticated and is all- pervasive.  OAuth is a service that is complementary to, but distinct from, OpenID.
  • 19. OPENID  OpenID is a standard that simplifies signing in.  With OpenID you only use one username and one password to log in to all websites where you have an account.  It offers a secure way of identifying yourself on the Internet.  Used by: Google, Flickr, Yahoo, MySpace,WordPress