Professional Documents
Culture Documents
Lecture - 3 - Authentication and Authorization
Lecture - 3 - Authentication and Authorization
Software Security
Hiruna De Alwis
1
Authentication
● Authentication is the process of verifying a
user or device before allowing access to a
system or resources.
● It confirming that a user is who they say they
are.
● This ensures only those with authorized
credentials gain access to secure systems.
● Authentication allows you to grant access to
the right user at the right time with confidence
1
9/8/2023
History of Authentication
● 1960s: Passwords and encryption
● 1970s: Asymmetric cryptography
○ Public-key cryptography, uses a mathematically related pair of keys
○ One public and one private to encrypt and decrypt information
● 1980s: Dynamic passwords
○ Old passwords were easily guessable
○ TOTP: Time-based One-Time Password(OTP)
○ HOTP-HMAC (Hash-based Message Authentication Code) OTP is an event-based OTP,
where the password is generated by a hash code that uses an incremental counter.
○ Dynamic passwords are often used in combination with regular passwords as one form
of two-factor authentication
3
History of Authentication
2
9/8/2023
● Authentication methods
○ username and password
○ biometric information such as facial recognition or fingerprint scans
○ phone or text confirmations - 2FA
● Basic flow
○ Input your login credentials on a login page or username and password bar
○ The server checks those credentials against the ones saved in its database
○ If they match, the user is granted access
● Maintain a session
○ Each period during which a user can log in without having to re-authenticate is called a
session
○ To keep a session open:
■ Create a token (a string of unique characters) that is tied to the account
■ Assign a cookie to the browser with the token attached
○ When the user goes to load a secure page, the app will check the token in the browser
cookie and compare it to the one in its database
○ If they match, the user maintains access without having to re-enter their credentials
○ Many applications use cookies to authenticate users after the initial login (user doesn’t
want to keep signing in to his account every time) 6
3
9/8/2023
● HTTP (Hypertext Transfer Protocol) is the set of rules for transferring files such as text, images,
sound, video and other multimedia files over the web
● RFC 2616 (HTTP) & RFC 7540 (HTTP/2) ...
● HTTP status codes …
● HTTPS is the use of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) as a
sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user HTTP
page requests as well as the pages that are returned by the web server
● Features of HTTPS …
4
9/8/2023
● The username and password are sent in every request. Although they are encoded with
Base64, this does not add any security since they can be decoded easily
● Most configurations of Basic Authentication do not implement protection against password
brute forcing. For external-facing systems, this may pose a heightened risk as anyone on the
internet can attempt to brute force passwords for weeks, months, or years
● Logout functionality is not supported. Although there are workarounds for this, they are not
supported by all browsers
● Passwords cannot be easily reset. If a user loses their credentials, they should be able to
reset their password immediately. This is not possible in most basic authentication
implementations
10
5
9/8/2023
Identity Federation
11
● Single sign-on (SSO) is a session and user authentication service that permits a user to use
one set of login credentials
○ A username and password to access multiple applications
○ SSO can be used by enterprises, small and midsize organizations, and individuals to
ease the management of multiple credentials
● Use HTTPS to guarantee confidentiality and integrity
● Advantages
○ Simplicity, Increased Productivity, Improved Security, Decreased IT Costs
● Drawbacks
○ Single point of failure, ID federation
12
6
9/8/2023
13
OpenID
7
9/8/2023
How OpenID
works?
1. End user navigates to a website or
web application via a browser
2. End user clicks sign-in and types
their username and password
3. The RP (Client) sends a request to
the OpenID Provider (OP)
4. The OP authenticates the User and
obtains authorization
5. The OP responds with an Identity
Token and usually an Access Token.
6. The RP can send a request with the
Access Token to the User device
7. The UserInfo Endpoint returns
Claims about the End-User
15
Kerberos
● Protocol for authenticating service requests between trusted hosts across an untrusted
network, such as the internet
● Kerberos provides a centralized authentication server whose function is to authenticate users
to servers and servers to users
● In Kerberos Authentication server and database is used for client authentication. Kerberos
runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user
and service on the network is a principal
● Workflow .. (https://www.geeksforgeeks.org/kerberos/)
● Applications:
○ User Authentication, Single Sign-On (SSO), Mutual Authentication, Authorization,
Network Security
16
8
9/8/2023
Authorization
● Authorization is the process, a the person’s or
user’s authorities are checked for accessing
the resources
● Determines what permission does the user
have (users or persons are validated)
● Done after the authentication process
● Needs the user’s privilege or security levels
17
Authentication vs Authorization
● Authentication confirms that users are who they say they are. Authorization gives those users
permission to access a resource
● In the authentication process, users or persons are verified. In the authorization process,
users or persons are validated.
● The user authentication is visible at user end. The user authorization is not visible at the user
end
● In authentication, the user or computer has to prove its identity to the server or client
● Authorization is usually coupled with authentication so that the server has some concept of
who the client is that is requesting access
18
9
9/8/2023
Authentication vs Authorization
● Authentication does not determine what tasks the individual can do or what files the individual
can see. Authentication merely identifies and verifies who the person or system is
● Authentication Ex:
○ Employees in a company are required to authenticate through the network before
accessing their company email
● Authorization Ex:
○ After an employee successfully authenticates, the system determines what information
the employees are allowed to access
● In some cases, there is no authorization; any user may be use a resource or access a file
simply by asking for it. Most of the web pages on the Internet require no authentication or
authorization. 19
10
9/8/2023
Privileges
● The concept of user privileges is based upon
restricting access to functionality within the
application to various classes of users
○ Visitors, or anonymous users
○ Registered and authenticated users
○ Administrative users
● Ex: User role based access controlling
21
11
9/8/2023
23
24
12
9/8/2023
25
13
9/8/2023
Thanks!
Contact:
Hiruna De Alwis
hiruna@effectivesolutions.lk
28
14