Skip to main content

Authentication: A step to security

Here we are, continuing our discussion on authorization and authentication. If you have red my previous article then you would have known by now how important these concepts are and why these need to be implemented efficiently. But in the previous article, we only talked about them and didn't look at how to actually implement them. Cybersecurity is so vast field that we can't understand all of its complexities in one article but what we can do is we can start with some pretty basic stuff and move along to provide our application some sort of security. So in this article we'll see how can we implement authentication checks in server-client systems and specifically in web applications. But for other type of applications like desktop apps, mobile apps you can follow the same procedure although the technology would be different. Lets have a look what we are gonna learn today:-

Our Goal

Just keep aside what we are going to do for a second and think about what we actually want. We want some mechanism which can ensure that the user requesting a particular web page is actually some authenticated user. And by authenticated user we mean that our system recognizes the user. Currently we are not concerned about the actual user, we are only concerned whether the credentials supplied to our system by the user are authenticated or not. So, ideally when a malicious person has stolen one of our user's identity we should not let the thief into our system but as we talked earlier, start with some simple stuff and then move along. So just let that theif in because the credentials he is providing are authenticated.

Also we do not want to bother the user by asking for his credentials again and again for each request so we want to ensure some way of automatic login. But http being a stateless protocol, there is only one way of automatic login and that is to store some information about the connection/session on client's machine. The data stored on client machine can be stolen easily but we are not concerned with that right now. So to summarize our goal, we want to have the following features in our mechanism.

  • Authentication check for the provided credentials.
  • Provide automatic login facility by using any method.
  • Prevent Credentials theft. (optional)
  • Detect credentials theft (optional)

General Procedure

Do you think the authentication systems which the big players like google, facebook, amazon etc. implement will actually be that simple which we talked about earler. Hell No. But as we are in a learning phase we can start to build something atleast. And as every thing people build at first there needs to be step by step procedure to do that. The process i am going to tell you is not a standard so it is totally upto you to follow it. Here is a basic flow diagram of the process and following it is the description of the diagram.

  1. Check whether information(could be stored in a cookie, file or anything else) exists on client's machine or not.
  2. If not then ask for user credentials
  3. Authenticate the credentials.
  4. If credentials are authenticated then let the user in otherwise repeat step 2.
  5. If information is present then validate the information on the server.
  6. If information is not valid then delete the information and repeat step 2.
  7. If information is valid then authenticate the user based on that information.
  8. If authentication is done properly then let the user in.
  9. If error occurs while authenticating then delete the information and repeat step 2.

As you may notice, if any problem occurs we ask for user credentials no matter what. There is a lot going in the above procedure. There are some things which are not clear and you might be wondering about those things. Some of the questions coming up your mind will be :

  • What information to store ?
  • How to store the information ?
  • How to validate the information ?
  • How to authenticate the user based on that information ?

Before tackling these questions, lets limit ourselves to web applications only. So the platform on which our application can perform will be a browser. Now lets answer the questions one by one.

Answers to our Questions

As we already know the procedure to implement it, we first need to know the answers to our question and then we will move forward to see what are the potential vulnerabilities in the simple procedure and how to remove them to a greater extent.

What information to store ?

If we don't care about the security then we can simply store the user_id and password so that we can directly look these things up into our database and see if we found a match but the problem with this approach is that we are compromising our user's data security. If that information gets stolen then not only the malicious user will be able to see the data but will also be able to delete it because he has the password of the real user.

So we need to store something else. One thing we can do is whenever a user logs into the system by providing his credentials then we generate a one time token which will be stored on the clients machine and also a table entry would be made in a seprate table which holds the token, associated user_id. We can match the token in the table and if it exists we see the user to which the token belongs to and assumes that this is the user who is making the request. Some people may already have sniffed the potential vulnerability here but there is a lot we can do about it. We'll talk about all the techniques in the next part. Lets just stick to the basics here.

How to store the information ?

Speaking regarding to the web application we can store the information either in the cookie or local storage. Local storage is not cross-browser compatible and your application may work somewhere and may not somewhere. So cookies will be our primary candidate to store the information.

How to validate the information ?

Considering what is the information you are storing and what technique you are using, you can validate it differently. For example, if you are using the token technique then you can add another field in the table which holds the expire time of the token and validate whether the token has been expired or not. Or if you are using signed cookies then first you can validate whether the signature matches or not and then move forward to validate the data stored in the cookie.

How to authenticate the user based on that information ?

This also depends on the technique you are using for authentication. If you are storing the user_id and password then you can authenticate the user by finding an entry for those things in the table or if you are storing token then you can find the token in the table and check its associated user_id. Basically, you are authenticating user associated with the information you stored on client's machine.

Cookie Theft

The main concern related to store information in a cookie is about the security of the cookie. Because there is currently no simple way to distinguish 2 browsers, a server will treat the same cookie present on 2 different browsers as if they are present on one machine. So if our cookie gets stolen then we can't prevent the thief to enter into our system. But there are some javascript libraries which can generate a unique string for a unique browser and the uniqueness of the string increases as we consider more parameters while generating the string. We'll see the authentication technique in the next article and how to prevent cookie theft and what to do in case our cookie data is compromised. But first see the method using which a cookie can be stolen.

Cross Site Scripting

Using this method, an attacker can inject script into the page by some means or using redirection techniques by which he can capture the cookies related to that page. If it looks something unimaginable then there is an article which explains how you can steal someone's cookies using cross site scripting.

Packet Capture

I don't know whether you have heard of the term "packet capture" earlier or not so let me explain it. Packet capture means capturing the data traffic going through some network. Using a tool like wireshark, we can capture each and every byte of data which is sent over the connected network. This way you can actually see what page users are visiting and what headers, cookies etc are exchanged during the connection. Once you get the cookies, you can set them on your machine and voila, you have stolen the user's identity. There is another nice article on how to do that Session Hijacking

There is a lot more to what just we learnt today. Some concepts like signed cookies, encrytion, request and response headers becomes useful when we want to make our system more secure. Also there are some authentication techniques which can be used to minimize data theft but that is a whole lot to write in one article so you'll have to read the next article where we will discuss authentication techniques. You can ask anything by dropping a comment below and i'll try to solve your problem. Also, suggestions are always welcome. If you found any information misleading or wrong then please inform by commenting.

Comments

Popular posts from this blog

Image Search Engine Using Python

Images provide a lot more information than audio or text. Image processing is the prime field of research for robotics as well as search engines. In this article we will explore the concept of finding similarity between digital images using python. Then we will use our program to find top 10 search results inside a dataset of images for a given picture. It won't be as good as google's search engine because of the technique we will be using to find similarity between images. But what we are going to make will be pretty cool. So lets start. Setting up the Environment Our Algorithm How the code looks Lets build the GUI Additional Techniques Setting up the Environment The code we are going to write requires a few tools which we need to install first. I will try to be as precise as i can and if you get stuck into installing some tool then you can drop a comment below and i will help you sort out the problem. So here are the tools and the steps to install ...

Understanding Python Decorators

If you have ever wondered what those @something mean above a python function or method then you are going to have your answers now. This @something line of code is actually called a decorator. I have red from various articles about them but some of them were not able to clarify the concept of a decorator and what we can achieve with them. So in this post we'll learn a lot about python decorators. Here is a list of topics we'll be covering. What is python decorator Understanding the concept Multiple decorators on same function class method decorator Where can we use decorators What is python decorator A python decorator is nothing but a function which accepts your given function as a parameter and returns a replacement function. So its like something this def decorator(your_func): def replacement(your_func_args): #do some other work return replacement @decorator your_func(your_func_args): #your_func code Now when your_func gets called then...

Cordova viewport problem solved

Include the viewport settings in Cordova If you are facing the auto zooming problem of cordova then go read on the full article. Cordova actually ignores the viewport meta tag which causes the pixel density problem. So we need to tell cordova that viewport tag is equally important as other tags. To do this, we need to add some code to a file which is specify in the article. Corodva messes with pixels If you are using the latest cordova version or creating the cordova app for latest android versions then you may have faced the zoom malfunctioning.I also faced it when creating an app. Many of you may have already searched the web and found the answer of changing the meta tag attributes to get it working. But adding target-densitydpi=medium-dpi does not solve the problem for latest android versions. It may work for gingerbread but not for kitkat and others. So the final solution which i found was one of the stackexchange answer but rarely found. So i am gonna two things here, i ...