Authentication: A step to security

Here we are, continuing our discussion on authorization and authentication. If you have red my previous article then you would have known by now how important these concepts are and why these need to be implemented efficiently. But in the previous article, we only talked about them and didn't look at how to actually implement them. Cybersecurity is so vast field that we can't understand all of its complexities in one article but what we can do is we can start with some pretty basic stuff and move along to provide our application some sort of security. So in this article we'll see how can we implement authentication checks in server-client systems and specifically in web applications. But for other type of applications like desktop apps, mobile apps you can follow the same procedure although the technology would be different. Lets have a look what we are gonna learn today:-

Our Goal

Just keep aside what we are going to do for a second and think about what we actually want. We want some mechanism which can ensure that the user requesting a particular web page is actually some authenticated user. And by authenticated user we mean that our system recognizes the user. Currently we are not concerned about the actual user, we are only concerned whether the credentials supplied to our system by the user are authenticated or not. So, ideally when a malicious person has stolen one of our user's identity we should not let the thief into our system but as we talked earlier, start with some simple stuff and then move along. So just let that theif in because the credentials he is providing are authenticated.

Also we do not want to bother the user by asking for his credentials again and again for each request so we want to ensure some way of automatic login. But http being a stateless protocol, there is only one way of automatic login and that is to store some information about the connection/session on client's machine. The data stored on client machine can be stolen easily but we are not concerned with that right now. So to summarize our goal, we want to have the following features in our mechanism.

  • Authentication check for the provided credentials.
  • Provide automatic login facility by using any method.
  • Prevent Credentials theft. (optional)
  • Detect credentials theft (optional)

General Procedure

Do you think the authentication systems which the big players like google, facebook, amazon etc. implement will actually be that simple which we talked about earler. Hell No. But as we are in a learning phase we can start to build something atleast. And as every thing people build at first there needs to be step by step procedure to do that. The process i am going to tell you is not a standard so it is totally upto you to follow it. Here is a basic flow diagram of the process and following it is the description of the diagram.

  1. Check whether information(could be stored in a cookie, file or anything else) exists on client's machine or not.
  2. If not then ask for user credentials
  3. Authenticate the credentials.
  4. If credentials are authenticated then let the user in otherwise repeat step 2.
  5. If information is present then validate the information on the server.
  6. If information is not valid then delete the information and repeat step 2.
  7. If information is valid then authenticate the user based on that information.
  8. If authentication is done properly then let the user in.
  9. If error occurs while authenticating then delete the information and repeat step 2.

As you may notice, if any problem occurs we ask for user credentials no matter what. There is a lot going in the above procedure. There are some things which are not clear and you might be wondering about those things. Some of the questions coming up your mind will be :

  • What information to store ?
  • How to store the information ?
  • How to validate the information ?
  • How to authenticate the user based on that information ?

Before tackling these questions, lets limit ourselves to web applications only. So the platform on which our application can perform will be a browser. Now lets answer the questions one by one.

Answers to our Questions

As we already know the procedure to implement it, we first need to know the answers to our question and then we will move forward to see what are the potential vulnerabilities in the simple procedure and how to remove them to a greater extent.

What information to store ?

If we don't care about the security then we can simply store the user_id and password so that we can directly look these things up into our database and see if we found a match but the problem with this approach is that we are compromising our user's data security. If that information gets stolen then not only the malicious user will be able to see the data but will also be able to delete it because he has the password of the real user.

So we need to store something else. One thing we can do is whenever a user logs into the system by providing his credentials then we generate a one time token which will be stored on the clients machine and also a table entry would be made in a seprate table which holds the token, associated user_id. We can match the token in the table and if it exists we see the user to which the token belongs to and assumes that this is the user who is making the request. Some people may already have sniffed the potential vulnerability here but there is a lot we can do about it. We'll talk about all the techniques in the next part. Lets just stick to the basics here.

How to store the information ?

Speaking regarding to the web application we can store the information either in the cookie or local storage. Local storage is not cross-browser compatible and your application may work somewhere and may not somewhere. So cookies will be our primary candidate to store the information.

How to validate the information ?

Considering what is the information you are storing and what technique you are using, you can validate it differently. For example, if you are using the token technique then you can add another field in the table which holds the expire time of the token and validate whether the token has been expired or not. Or if you are using signed cookies then first you can validate whether the signature matches or not and then move forward to validate the data stored in the cookie.

How to authenticate the user based on that information ?

This also depends on the technique you are using for authentication. If you are storing the user_id and password then you can authenticate the user by finding an entry for those things in the table or if you are storing token then you can find the token in the table and check its associated user_id. Basically, you are authenticating user associated with the information you stored on client's machine.

Cookie Theft

The main concern related to store information in a cookie is about the security of the cookie. Because there is currently no simple way to distinguish 2 browsers, a server will treat the same cookie present on 2 different browsers as if they are present on one machine. So if our cookie gets stolen then we can't prevent the thief to enter into our system. But there are some javascript libraries which can generate a unique string for a unique browser and the uniqueness of the string increases as we consider more parameters while generating the string. We'll see the authentication technique in the next article and how to prevent cookie theft and what to do in case our cookie data is compromised. But first see the method using which a cookie can be stolen.

Cross Site Scripting

Using this method, an attacker can inject script into the page by some means or using redirection techniques by which he can capture the cookies related to that page. If it looks something unimaginable then there is an article which explains how you can steal someone's cookies using cross site scripting.

Packet Capture

I don't know whether you have heard of the term "packet capture" earlier or not so let me explain it. Packet capture means capturing the data traffic going through some network. Using a tool like wireshark, we can capture each and every byte of data which is sent over the connected network. This way you can actually see what page users are visiting and what headers, cookies etc are exchanged during the connection. Once you get the cookies, you can set them on your machine and voila, you have stolen the user's identity. There is another nice article on how to do that Session Hijacking

There is a lot more to what just we learnt today. Some concepts like signed cookies, encrytion, request and response headers becomes useful when we want to make our system more secure. Also there are some authentication techniques which can be used to minimize data theft but that is a whole lot to write in one article so you'll have to read the next article where we will discuss authentication techniques. You can ask anything by dropping a comment below and i'll try to solve your problem. Also, suggestions are always welcome. If you found any information misleading or wrong then please inform by commenting.

Comments

Popular posts from this blog

Understanding Python Decorators