I'm doing some research about authentication protocols, specifically over Bluetooth. My system will not have an Internet connection but I want to authenticate, authorize and encrypt my communications. Are there any known protocols that I should look into? A few requirements:
A one time authentication for the master user
Ability to grant limited access to other users (e.g. generating a time based token)
Thank you for possible answers and suggestions.
Related
I want to build a server using Node.js, which acts as some kind of proxy. The clients that connect to my server use NTLMv2 for authentication (there is no chance to change this), but the upstream server my server shall connect to requires a Kerberos token.
So, my question is pretty simple: How do I, using Node.js, transform the information provided by NTLMv2 into a Kerberos token? On npm, so far I have found modules for NTLMv2 authentication, but I somehow would probably need to talk to Windows to translate NTLMv2 data of a user into a token for this user.
Any hints on this, how to approach this problem?
Absolutely not! NTLM and Kerberos operate completely different. First of all, I would highly recommend get rid off NTLM as fast as you can.
You can solve your problem in an easy fashion if you can access C interfaces. I also assume you MIT Kerberos on a Unix-like OS like CentOS or FreeBSD, etc.
NTLM will provide you the downlevel logon name. You need first to convert the NetBIOS domain to a DNS domain via LDAP (use libopenldap) then you can construct the Kerberos principal or the enterprise principal for your client. Then create a service account in your KDC and enable protocol transition and contrained delegation on that account for the target service. Now request a TGT on behalf of that user principal and request a service ticket for the user, voila you can access your Kerberos backend.
Here is a decent read: https://k5wiki.kerberos.org/wiki/Projects/Services4User
If you run HTTPd as your reverse proxy, it might handle all the magic for your with mod_auth_gssapi.
On Windows, this is a bit of a pain with the security API and SSPI. While the the principal transformation comes for free with Windows. You'll need LsaLogonUser with KERB_S4U_LOGON, impersonate with that handle and then require SSPI to acquire a cred handle...
If your KDC allows constrained delegation, you can setup your intermedaite server to allow impersonation. This way it can established security context with the client in one mechanism (in your case, NTLM), and talk to the backend server on behalf of the client in another mechanism (Kerberos). Google for "constrained delegation" and "protocol transition" for more information. Hope this helps.
As I understand it, if you want your app to sign in via OAuth then you have to write separate code for each provider (Google, Twitter, etc).
And with OpenID you don't - it handles the providers for you and you just handle connecting to OpenID.
Now that OpenID has become OpenID Connect (which is a layer running on top of OAuth 2.0) if I use it would I still need to write separate code (since it relies on OAuth), or would I just need to write a single bit of code for the OpenID part and it would handle all the underlying OAuth providers?
Conceptually, OpenID is a SSO (authentication) protocol while OAuth is an authorization (access resource on behalf of the user) protocol. Practically, both seem close as the user needs to login. OAuth supports several different flows and OpenID is built on auto-discovery (the user identifier references the identity provider). OpenID Connect is built on top on OAuth with the auto-discovery idea of OpenID (specific url).
For these three protocols, you don't really need to write separate different code for each provider, you can have some common component with customizations due to the different configuration (server url) or attributes retrieval configuration. For OAuth where things are a little blurry, implementations may have more substantial differences.
Taken from my experience of the pac4j security library: https://github.com/pac4j/pac4j
I'm looking for a simple authentication protocol (OpenID, Active Directory, ??) for users to log into my website. It's hosted on Windows Azure. High levels of security are required. What can you recommend and why that particular choice?
Note: At this point in time I will not be using SSL so no plain-text passwords can be transmitted. I will however be transitioning to an SSL environment in the future.
Is the data that your site/service is going to be transmitting across the wire private, sensitive, proprietary, etc? If so, it is ESSENTIAL that you implement SSL in order to prevent anyone with a packet sniffer from being able to syphon data straight from the wire.
In order to perform secure authentication you will need to employ something like SSL to establish a secure communications transport over which you can request and receive a SAML (or similar) identity token from an identity provider.
If you don't use SSL to protect your communications, it's trivial for a malicious 3rd party to steal the identity token and masquerade as the authenticated user and/or to log/monitor/modify every request for any user of your system!
What are your reasons for not using SSL?
Is there any reason why I shouldn't use cookies/sessions for native mobile applications, usually used by browsers, to authenticate with my server and for subsequent API calls?
Clarification: It seems the de-facto method of authentication on mobile clients is token based systems like OAuth/XAuth. Why don't traditional browser methods suffice?
This depends on your application (your threat scenario to be more exact).
Some of the most common threats are
- eavesdropping (-> should encrypt)
- man in the middle (-> must authenticate other party)
- ...what are yours? (how secure is your cookie store,....)
A cookie at first only holds a token as proof that sometime you have successfully made an authentication. If the cookie is valid long enough or transport not encrypted, there is a good chance that someone someday will find out...
In addition you must take into account what additional security measures are in place, at first and most important SSL.
What is your authentication method (what credential does a client need to logon)? Do you have the possibility to work with authentication based on PPK infrastructure or is the communication "ad-hoc"?
EDIT
Wrt. to OpenAuth: as far as i understood the protocol its main concern is authentication delegation. A scenario where you authorize an agent to do some very specific task on behalf of another identity. This way you dont scatter your credentials all over the web. If you have OpenAuth in place, a client can use the protocol directly, too. So why bother adding another. But OpenAuth explicitly states that with a direct client scenario you again run into security issues as now the token is available on the device and must be protected accordingly (as you must do with your cookie).
If radius is Authuntication protocol why use kerberos,pap,chap,... ?
The Remote Authentication Dial-In User Service (RADIUS) protocol provides authentication, authorization, and accounting (AAA) for dial-in infrastructures, and it uses the same account and password to log into your company network through modem, WiFi, or a VPN tunnel. RADIUS has many carrier-grade features (the whole accounting part, for example) and is designed to operate in explicitly configured backbone networks.
But it is not well suited for PC and workstation networks and doesn't have the single-sign-on capability offered by Kerberos.
On the Other Hand, Kerberos provides an encrypted authentication service using shared secret keys. Kerberos can also support authentication via public key cryptography, but this is not covered by RFC 4120. Kerberos does not provide an authorization service, but Kerberos does support pass-through to other authorization services. Kerberos does not provide an accounting service.
For More Information about the PAP and CHAP, refer the following url
http://www.zeroshell.net/eng/kerberos/
and this url too you can refer
http://www.firewall.cx/ftopict-2679-.html
RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote user authentication and accounting.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Suppose you have Vodafone or Orange Telecom operator's connectivity at your home for internet connectivity.so,you will be needing a particular user id and password to access that.
Here Radius Protocol is used.
Technically, if you see the network file(.pcap file) that Wireshark Tool uses.
You will see that it contains Attribute Value Pairs that contains user name, password fields.
Radius uses CHAP password.So, it is more secured in terms of middle attack.
I hope you got my point