book

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

June 2016

Beginner

200 pages

4h 26m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Conventions Used in This BookSafari® Books OnlineHow to Contact UsAcknowledgmentsJonathanTim
1. Introduction
The Problems with Current Security ModelsPoor Password ChoicesSecurity over UsabilityImproper Data EncryptionThe Weakest Link: Human BeingsSingle Sign-onUnderstanding Entropy in Password SecurityEntropy in Randomly Selected PasswordsEntropy in Human-Selected PasswordsBreaking Down System Usage of a Username and PasswordSecuring Our Current Standards for IdentityGood and Bad Security AlgorithmsWhat Data Should Be Protected?Account Recovery Mechanisms and Social EngineeringThe Problem with Security QuestionsNext Up
2. Password Encryption, Hashing, and Salting
Data at Rest Versus Data in MotionData at RestData in MotionPassword Attack VectorsBrute-Force AttackCreating a CAPTCHA with reCAPTCHADictionary AttacksReverse Lookup TablesRainbow TablesSaltingGenerating a Random SaltSalt ReuseSalt LengthWhere to Store the SaltPepperingChoosing the Right Password Hashing FunctionbcryptPBKDF2scryptValidating a Password Against a Hashed ValueKey StretchingRecomputing HashesNext Steps
3. Identity Security Fundamentals
Understanding Various Identity TypesSocial IdentityConcrete IdentityThin IdentityEnhancing User Experience by Utilizing IdentityIntroducing Trust ZonesBrowser FingerprintingConfigurations More Resistant to Browser FingerprintingIdentifiable Browser InformationCapturing Browser DetailsLocation-Based TrackingDevice Fingerprinting (Phone/Tablet)Device Fingerprinting (Bluetooth Paired Devices)Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
The Difference Between Authentication and AuthorizationAuthenticationAuthorizationWhat Are OAuth and OpenID Connect?Introducing OAuth 2.0Handling Authorization with OAuth 2.0Using the Bearer TokenAuthorization and Authentication with OpenID ConnectSecurity Considerations Between OAuth 2 and OAuth 1.0aBuilding an OAuth 2.0 ServerCreating the Express ApplicationSetting Up Our Server’s DatabaseGenerating Authorization Codes and TokensThe Authorization EndpointHandling a Token’s LifetimeHandling Resource RequestsUsing Refresh TokensHandling ErrorsAdding OpenID Connect Functionality to the ServerThe ID Token SchemaModifying the Authorization EndpointAdjusting the Token EndpointThe UserInfo EndpointSession Management with OpenID ConnectBuilding an OAuth 2 ClientUsing Authorization CodesAuthorization Using Resource Owner Credentials or Client CredentialsAdding OpenID Connect Functionality to the ClientThe OpenID Connect Basic FlowBeyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
Device and Browser FingerprintingTwo-Factor Authentication and n-Factor Authenticationn-Factor AuthenticationOne-Time PasswordsImplementing Two-Factor Authentication with AuthyBiometrics as Username Instead of PasswordHow to Rate Biometric EffectivenessFace RecognitionRetina and Iris ScanningVein RecognitionUpcoming StandardsFIDO AllianceOzThe BlockchainWrap Up
6. Hardening Web Applications
Securing SessionsTypes of SessionsHow Express Handles SessionsHandling XSSThe Three Types of XSS AttacksTesting XSS Protection MechanismsConclusionCSRF AttacksHandling CSRF with csurfValuable Resources for NodeLuscaHelmetNode Security ProjectOther Mitigation TechniquesOur Findings
7. Data Transmission Security
SSL/TLSCertificate Validation Types and AuthoritiesCreating Your Own Self-Signed Certificate for TestingAsyncronous CryptographyUse CaseImplementation ExampleAdvantages, Disadvantages, and Uses of Aynchronous CryptographySynchronous CryptographyInitialization VectorPaddingBlock Cipher Modes of OperationUsing AES with CTR Encryption ModeUsing AES with with GCM Authenticated Encryption ModeAdvantages, Disadvantages, and Uses of Synchronous Cryptography
A. GitHub Repositories
B. Technical Preconditions and Requirements
On ES6/ES2015Setting Up Your Node.js EnvironmentManaging Node Versions or Alternative InstallationsInstalling the Express GeneratorSetting Up ExpressCreating and Maintaining Your package.json FileApplication ConfigurationWorking with JSON/URL-Encoded Bodies in Express

Glossary
Index

Content preview from Identity and Data Security for Web Development

Chapter 5. Alternate Methods of Identification

Tim Messerschmidt and Jonathan LeBlanc

Because of the heavy intersection between mobile devices, desktop clients, and a new breed of connected hardware out of the Internet of Things, the demand for a new class of authentication and authorization technology is on the rise. This chapter covers upcoming standards such as FIDO that enable covering multiple form factors and are able to scale beyond software-based authentication technology.

Device and Browser Fingerprinting

Next to regular authentication and authorization scenarios, device and browser fingerprinting allows for a more passive way to identify users across a big target group. Applications like Am I Unique? are broadly available and can leverage many factors in order to determine whether a user is unique.

When performing device and browser fingerprinting, the user is usually tested against some very general and broad factors—such as the device’s platform, the current browser, or whether cookies are enabled on the device—and then against more granular and subtle determinants, like the device’s resolution, time zone, the browser’s enabled plug-ins, or user agent. When Flash is enabled, services like Am I Unique? or Panopticlick are even able to obtain a list of currently installed fonts.

Eight factors can be concatenated and lead to a browser’s fingerprint (Table 5-1).

Table 5-1. Browser measurements to determine uniqueness
Variable	Obtained through
`User Agent`	HTTP

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491937006Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

Chapter 5. Alternate Methods of Identification

Device and Browser Fingerprinting

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.