book

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

June 2016

Beginner

200 pages

4h 26m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Conventions Used in This BookSafari® Books OnlineHow to Contact UsAcknowledgmentsJonathanTim
1. Introduction
The Problems with Current Security ModelsPoor Password ChoicesSecurity over UsabilityImproper Data EncryptionThe Weakest Link: Human BeingsSingle Sign-onUnderstanding Entropy in Password SecurityEntropy in Randomly Selected PasswordsEntropy in Human-Selected PasswordsBreaking Down System Usage of a Username and PasswordSecuring Our Current Standards for IdentityGood and Bad Security AlgorithmsWhat Data Should Be Protected?Account Recovery Mechanisms and Social EngineeringThe Problem with Security QuestionsNext Up
2. Password Encryption, Hashing, and Salting
Data at Rest Versus Data in MotionData at RestData in MotionPassword Attack VectorsBrute-Force AttackCreating a CAPTCHA with reCAPTCHADictionary AttacksReverse Lookup TablesRainbow TablesSaltingGenerating a Random SaltSalt ReuseSalt LengthWhere to Store the SaltPepperingChoosing the Right Password Hashing FunctionbcryptPBKDF2scryptValidating a Password Against a Hashed ValueKey StretchingRecomputing HashesNext Steps
3. Identity Security Fundamentals
Understanding Various Identity TypesSocial IdentityConcrete IdentityThin IdentityEnhancing User Experience by Utilizing IdentityIntroducing Trust ZonesBrowser FingerprintingConfigurations More Resistant to Browser FingerprintingIdentifiable Browser InformationCapturing Browser DetailsLocation-Based TrackingDevice Fingerprinting (Phone/Tablet)Device Fingerprinting (Bluetooth Paired Devices)Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
The Difference Between Authentication and AuthorizationAuthenticationAuthorizationWhat Are OAuth and OpenID Connect?Introducing OAuth 2.0Handling Authorization with OAuth 2.0Using the Bearer TokenAuthorization and Authentication with OpenID ConnectSecurity Considerations Between OAuth 2 and OAuth 1.0aBuilding an OAuth 2.0 ServerCreating the Express ApplicationSetting Up Our Server’s DatabaseGenerating Authorization Codes and TokensThe Authorization EndpointHandling a Token’s LifetimeHandling Resource RequestsUsing Refresh TokensHandling ErrorsAdding OpenID Connect Functionality to the ServerThe ID Token SchemaModifying the Authorization EndpointAdjusting the Token EndpointThe UserInfo EndpointSession Management with OpenID ConnectBuilding an OAuth 2 ClientUsing Authorization CodesAuthorization Using Resource Owner Credentials or Client CredentialsAdding OpenID Connect Functionality to the ClientThe OpenID Connect Basic FlowBeyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
Device and Browser FingerprintingTwo-Factor Authentication and n-Factor Authenticationn-Factor AuthenticationOne-Time PasswordsImplementing Two-Factor Authentication with AuthyBiometrics as Username Instead of PasswordHow to Rate Biometric EffectivenessFace RecognitionRetina and Iris ScanningVein RecognitionUpcoming StandardsFIDO AllianceOzThe BlockchainWrap Up
6. Hardening Web Applications
Securing SessionsTypes of SessionsHow Express Handles SessionsHandling XSSThe Three Types of XSS AttacksTesting XSS Protection MechanismsConclusionCSRF AttacksHandling CSRF with csurfValuable Resources for NodeLuscaHelmetNode Security ProjectOther Mitigation TechniquesOur Findings
7. Data Transmission Security
SSL/TLSCertificate Validation Types and AuthoritiesCreating Your Own Self-Signed Certificate for TestingAsyncronous CryptographyUse CaseImplementation ExampleAdvantages, Disadvantages, and Uses of Aynchronous CryptographySynchronous CryptographyInitialization VectorPaddingBlock Cipher Modes of OperationUsing AES with CTR Encryption ModeUsing AES with with GCM Authenticated Encryption ModeAdvantages, Disadvantages, and Uses of Synchronous Cryptography
A. GitHub Repositories
B. Technical Preconditions and Requirements
On ES6/ES2015Setting Up Your Node.js EnvironmentManaging Node Versions or Alternative InstallationsInstalling the Express GeneratorSetting Up ExpressCreating and Maintaining Your package.json FileApplication ConfigurationWorking with JSON/URL-Encoded Bodies in Express

Glossary
Index

Content preview from Identity and Data Security for Web Development

Chapter 2. Password Encryption, Hashing, and Salting

Jonathan LeBlanc

In the first chapter you learned about the underlying concepts of password security, and the current state of the industry and standards that are employed. Let’s start putting some of that into practice as we explore the practical application of password encryption and security. To start this implementer’s approach, let’s first look at the ways that data can be transmitted and stored.

Data at Rest Versus Data in Motion

As we start to explore the concepts of data security, there are two important concepts that we should address: data in motion versus data at rest.

When we talk about data at rest, we mean the inactive (or resting) digital data that is being stored on your servers, such as the databases that you are using to store passwords, profile information, or any other details needed within your application.

When we discuss the concept of data in motion, we’re talking about any data that is in transit, being sent back and forth from an application to a database, or communication back and forth between websites and APIs or external data sources.

Data at Rest

If you’re talking about credit card environments, where you’ve got a requirement to encrypt the credit card information at rest, I think the most common method people use there is enabling encryption within the database. That’s typically about as good as it gets in terms of host-based encryption.¹

Chris Gatford, Hacklabs

Web and application developers ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491937006Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design