book

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

June 2016

Beginner

200 pages

4h 26m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Conventions Used in This BookSafari® Books OnlineHow to Contact UsAcknowledgmentsJonathanTim
1. Introduction
The Problems with Current Security ModelsPoor Password ChoicesSecurity over UsabilityImproper Data EncryptionThe Weakest Link: Human BeingsSingle Sign-onUnderstanding Entropy in Password SecurityEntropy in Randomly Selected PasswordsEntropy in Human-Selected PasswordsBreaking Down System Usage of a Username and PasswordSecuring Our Current Standards for IdentityGood and Bad Security AlgorithmsWhat Data Should Be Protected?Account Recovery Mechanisms and Social EngineeringThe Problem with Security QuestionsNext Up
2. Password Encryption, Hashing, and Salting
Data at Rest Versus Data in MotionData at RestData in MotionPassword Attack VectorsBrute-Force AttackCreating a CAPTCHA with reCAPTCHADictionary AttacksReverse Lookup TablesRainbow TablesSaltingGenerating a Random SaltSalt ReuseSalt LengthWhere to Store the SaltPepperingChoosing the Right Password Hashing FunctionbcryptPBKDF2scryptValidating a Password Against a Hashed ValueKey StretchingRecomputing HashesNext Steps
3. Identity Security Fundamentals
Understanding Various Identity TypesSocial IdentityConcrete IdentityThin IdentityEnhancing User Experience by Utilizing IdentityIntroducing Trust ZonesBrowser FingerprintingConfigurations More Resistant to Browser FingerprintingIdentifiable Browser InformationCapturing Browser DetailsLocation-Based TrackingDevice Fingerprinting (Phone/Tablet)Device Fingerprinting (Bluetooth Paired Devices)Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
The Difference Between Authentication and AuthorizationAuthenticationAuthorizationWhat Are OAuth and OpenID Connect?Introducing OAuth 2.0Handling Authorization with OAuth 2.0Using the Bearer TokenAuthorization and Authentication with OpenID ConnectSecurity Considerations Between OAuth 2 and OAuth 1.0aBuilding an OAuth 2.0 ServerCreating the Express ApplicationSetting Up Our Server’s DatabaseGenerating Authorization Codes and TokensThe Authorization EndpointHandling a Token’s LifetimeHandling Resource RequestsUsing Refresh TokensHandling ErrorsAdding OpenID Connect Functionality to the ServerThe ID Token SchemaModifying the Authorization EndpointAdjusting the Token EndpointThe UserInfo EndpointSession Management with OpenID ConnectBuilding an OAuth 2 ClientUsing Authorization CodesAuthorization Using Resource Owner Credentials or Client CredentialsAdding OpenID Connect Functionality to the ClientThe OpenID Connect Basic FlowBeyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
Device and Browser FingerprintingTwo-Factor Authentication and n-Factor Authenticationn-Factor AuthenticationOne-Time PasswordsImplementing Two-Factor Authentication with AuthyBiometrics as Username Instead of PasswordHow to Rate Biometric EffectivenessFace RecognitionRetina and Iris ScanningVein RecognitionUpcoming StandardsFIDO AllianceOzThe BlockchainWrap Up
6. Hardening Web Applications
Securing SessionsTypes of SessionsHow Express Handles SessionsHandling XSSThe Three Types of XSS AttacksTesting XSS Protection MechanismsConclusionCSRF AttacksHandling CSRF with csurfValuable Resources for NodeLuscaHelmetNode Security ProjectOther Mitigation TechniquesOur Findings
7. Data Transmission Security
SSL/TLSCertificate Validation Types and AuthoritiesCreating Your Own Self-Signed Certificate for TestingAsyncronous CryptographyUse CaseImplementation ExampleAdvantages, Disadvantages, and Uses of Aynchronous CryptographySynchronous CryptographyInitialization VectorPaddingBlock Cipher Modes of OperationUsing AES with CTR Encryption ModeUsing AES with with GCM Authenticated Encryption ModeAdvantages, Disadvantages, and Uses of Synchronous Cryptography
A. GitHub Repositories
B. Technical Preconditions and Requirements
On ES6/ES2015Setting Up Your Node.js EnvironmentManaging Node Versions or Alternative InstallationsInstalling the Express GeneratorSetting Up ExpressCreating and Maintaining Your package.json FileApplication ConfigurationWorking with JSON/URL-Encoded Bodies in Express

Glossary
Index

Content preview from Identity and Data Security for Web Development

Chapter 7. Data Transmission Security

Jonathan LeBlanc

In Chapter 2, we discussed at length the protection of identification and account security through the use of proper hashing and salting techniques. Even though account security is vitally important to any system, what about security for any data that is being transmitted from one party to another, as that data might be sensitive in nature or contain privileged user information?

In this chapter, we explore numerous data-security techniques that are designed to protect data in motion, or better said, data that is moving between parties. We’ll look at a few of these techniques in depth:

SSL secure data transmission
Asymmetric key cryptography, better known as public/private key encryption
Symmetric key encryption, better known as shared secret encryption

Let’s start out by exploring our ideal secure scenario.

SSL/TLS

In an ideal scenario, when working with data security as web developers, Secure Sockets Layer (SSL) is the mechanism that you should be targeting as your data security standard for a user. If you’re not familiar with how it works, you’ll be familiar with seeing the effect of an SSL certificate being used on websites that you visit, Figure 7-1, for example shows the expanded certificate information for https://www.google.com.

SSL certificate information on google.com

SSL, and its successor, Transport Layer ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491937006Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

Chapter 7. Data Transmission Security

SSL/TLS

Figure 7-1. SSL certificate on Google

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.