web server – HTTP authentication with public/private key pair

I’m looking for a way to authenticate clients/users at a web server with public/private key pairs and already read this question:
Public key authentication or similar over HTTP/HTTPS? The answers are similiar to everything I found on the web. In short: “If you want public key authentication via HTTPS, use SSL client certificates”.

However, I’m looking for a solution which is as simple and secure as SSH authentication with public/private keys. My problem with SSL client certificates is, that you need a CA and this makes a big difference from a security point of view, imho.

Here is why: If attackers steal your CA’s private key, they are able to authenticate with any user, because they can sign their own client certificates. In the case of SSH, if attackers steal a user’s private key, they can only authenticate as this single user.

So in conclusion I have to make sure that my CA is secured and the best way is to have a dedicated system / computer serving as CA. This means significantly higher effort and higher costs.


Considering security I think it’s arguable which mechanism is better. But I think if public key authentication is sufficient for SSH access, it should also apply to web application authentication. Also notice, that I only want to use public/private key as an addition to my existing HTTP basic (user/password) authentication in order to increase security. Actually, my goal was to increase security by a second factor with minimal effort and without requiring the users to use token generators.

authentication – What is the suggested best practice for changing a users email address?

I recently jumped onto the hypetrain for an unnamed e-mail service and am currently on my way to update all my accounts on various websites to get most of my (future) data off googlemail.

During this adventure I came across a couple user-flows of changing your e-mail address which I would like to share (amounts like “many” or “a few” a purely subjective, I did not count):

1. No questions asked

E-mail address is just changed without any confirmation-mails, second password check or spellchecking (two input fields). The e-mail adress is the main login method to this account with some sensitive data. Any person with malicous intend will not be stopped from taking over my account if they change the email adress and after that my password.

2. Confirmation of new email

What I feel like the method used by most platforms: You will receive a confirmation email to the new address you provide. This will assure you typed in the e-mail correctly, will not stop anyone from changing the main login method though.

3. Confirmation through old address

Very few platforms send an email to the old address to check if I am the actual owner of this account. If I click the link in the mail or enter a number they send me, the adress is changed.

4. Confirmation through old and of new address

Just once I had to confirm with my old address that I am the owner of the account and got another email to the new address to check if it does indeed exist.

Looking back at it, it feels like the usual UX vs security conflict. While method 1 provides the most comfortable flow, I see the most issues with it as already pointed out.
Having to confirm the old address and the new one is kind of a hassle but from the methods pointed out the best way to keep the account of your users in their own hands.

Are there other common methods I am not aware of and what is generally considered best practice?

vulnerability – Vulnerabilities in Lorawan authentication

i’m reasearching some best practices in authentication techniques for IoT enabled environemnts and i’m looking for vulnerabilities in well-known protocols.
About LoraWan i’ve read that we have 2 main methods of authentication: OOTA and ABP.

I’ve found that in ABP authentication method we have a vulnerability that allows replay attack and in OOTA there is the possibility to sniff the exchanged keys over the MCU <-> Radio channel.

I think that there are more vulnerabilities but i can’t find anything more around.

authentication – Would a JWT token in the database provide extra security?

What I’ve been doing:

I’ve been working on creating a HttpOnly cookie to prevent cross-site request forgery (CSRF). I’ve had trouble creating a HttpOnly Cookie on a POST(login) request. I did find an alternative solution where I can res.send(token) then in my store where my token is sent I can call a GET route along with a query parameter of my token so I can create a cookie. This does expose the token and inexperienced users can just paste the link and have access to the account without the username/password.

Unique Token Authentication:

I did theory craft an idea that I’m honestly not sure if it can work which Is why I’m asking here.

  1. In the GET request where the token parameter is sent. Firstly it would be important to check if the token is legitimate which JWT can already do with verify. If not we don’t do anything

  2. If the token is legitimate then use the tokens payload (in this case the ID#) to put on the SQL query.

  3. Then we check if there are results match the original encrypted token. If not then the token is legitimate and the cookie may be created along with doing a SQL query to store that token.

  4. If the user logs out then we deleted the token on the database and cookie on the frontend

Issues:

I think there might be some issues with if you want to expire something because there can be expiration set on the jwt and cookie but the database may need to be in sync with those. (Maybe issues with refresh tokens too?)

Conclusion:

Not sure if this is viable or not but please let me know if I haven’t taken into account something or if this is even a good idea to begin with.

security – What is a recommended authentication architecture for a front GUI app that I want to control but that will be used by others to control their servers?

The general architecture you pose makes sense. I think if I were going to do it, the main tweak I would make would be to completely hide the interactions with the on-prem controller behind an API backplane. So, something, perhaps, like this:

                            .......
       (GUI)   -----------> |     |      .-> (Audit Database)
                            |     |     /
       (Webapp) ----------> | API | ----
                            |     |     .-> { Message Queue } ----> (On-Prem Controller) ---> { Managed Resources }
       (Mobile) ----------> |     |
                            .......
                               |
                               |
                               v
                    (OAuth / OIDC Provider)

By removing the desktop app’s ability to talk directly to the controller, you plug a potential security hole by allowing everything to remain cleanly separated. Also by wrapping everything in an API you can apply consistent security rules to who is allowed which operations and you can maintain an audit of what was sent by whom and when. It also allows you to plug in additional interfaces later, should the requirement ever come up.

Another advantage is that the message queue could be either push or pull. The advantage to having the on-prem controller poll for commands is that it allows you to have a firewall in between them without forcing the client data center to open any ports.

As you’ve mentioned in your post, being very strict on security is imperative to minimize the risk to which you are exposing your potential customers, so think that model through thoroughly.

Good luck!

multi factor – Does mobile biometric authentication count as Knowledge, Possession, or Inherence authentication

Apple claims in this year’s WWDC that Face ID and Touch ID count for both Possession and Inherence identity factors, because they are using Biometrics (Inherence) to access the secure element on your phone (Possession) to retrieve a unique key. See here: https://developer.apple.com/videos/play/wwdc2020/10670/

I think both claims are a stretch. For Inherence, yes, you have proved to iOS that the person who set up Face ID is again using the phone, and therefore given access to the secure key. So iOS can claim Inherence. But your app has no proof that the human possessing the phone is actually your user. Hence my app considers mobile local authentication merely a convenient Knowledge factor–a shortcut for your username and password that resolves common credential problems like human forgetfulness.

As for Possession, again, I think the claim is a stretch unless before writing the unique key to the phone’s secure element you somehow prove that the possessor of the phone is your actual intended user. I suppose if you enable Face ID login immediately after account creation you can have this proof–the brand-new user gets to declare this is their phone like they get to choose their username and password. But on any login beyond the first you would have to acquire proof of Possession using an existing factor before you could grant a new Possession factor. Else a fraudster who steals credentials can claim their phone is a Possession factor by enabling Face ID; a situation made extra problematic by Apple’s claim that Face ID also counts as Inherence!

Am I wrong in this assessment? Which of Knowledge, Possession, and Inherence should an app developer grant mobile local biometric authentication?

authentication – In an Arm TrustZone based Trusted Application (TA), how can a remote party tie an output to a particular TA?

I’ve been looking at the following figure which shows, with Arm TrustZone architecture, resources of a system can be divided into a Rich Execution Environment (REE) and a Trusted Execution Environment (TEE).

enter image description here

Here I’m trying to understand the following: Suppose a remote party wants a particular trusted application (TA) running in TEE to do some computation on his input. How can this remote party be ensured that the computation is actually done by the correct TA ?

authentication – Not able to connect through SharePoint Designer

To troubleshooting, this issue, follow the below steps:

  1. Close all SharePoint Designer
  2. Add your site into IE Trusted Sites,
  3. then re-open your site using SharePoint Designer.

Also, you can try to clear SharePoint Designer 2013 cache, then test again, compare the result.

About clearing SharePoint Designer cache:

How to Clear Your SharePoint Designer 2010/2013 Cache

Reference:

Unable To Connect SharePoint Designer to SharePoint Online Sites