RESTful Security
3 likes1,430 views
This document provides resources related to password strength, encryption, and authentication standards. It includes links to sites about password checking, installing unlimited strength Java encryption, the Bouncy Castle cryptography library, and stateless client-side session management. It also contains a table comparing different authentication protocols, listing their name, description, date created, and key aspects.
RESTful Security
- 29. Resources • Great password strength check: http://www.passwordmeter.com • User higher encryption rates are stronger (note Java blocks 256bit encryption out of the box due to US export regulations!) To use unlimited strength encryption you need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your version of Java: • http://www.oracle.com/technetwork/java/javase/tech/index- jsp-136007.html#UnlimitedDownload • http://www.oracle.com/technetwork/java/javase/downloads/index.html • http://www.oracle.com/technetwork/java/archive-139210.html • Bouncy Castle: http://www.bouncycastle.org/ • Stateless: http://www.isecpartners.com/files/web-session-management.pdf (section 5D has a good client-side session mechanism)
- 30. AD Active Directory http://en.wikipedia.org/wiki/ 2000 Microsoft specific implementation of LDAP, based on Novell eDirectory. Active_Directory Utilizes Kerberos-based authentication. CAS Centralized http://en.wikipedia.org/wiki/ 2004 Centralized nature. Potentially unstable - 36 releases on Jasig CAS in the Authentication Central_Authentication_Service last 2 years (2/09 - 12/10) Service" GSSAPI Generic Security http://en.wikipedia.org/wiki/ 1993 An API API that is honored by other technologies. Anticipating new Services Generic_Security_Services_Applicati security mechanisms, the GSSAPI includes a negotiating pseudo on_Program_Interface mechanism, SPNEGO, that can discover and use new mechanisms not present when the original application was built. HTTP Auth HTTP http://en.wikipedia.org/wiki/ 1996 Basic access authentication is a method designed to allow a web browser, Authentication HTTP_authentication or other client program, to provide credentials – in the form of a user name and password – when making a request. Open, but most browsers support via pop-up.
- 31. HTTPS HTTP Secure http://en.wikipedia.org/wiki/Https 1994 A combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. JAAS Java Authentication http://en.wikipedia.org/wiki/ 2001 JAAS defines a framework for subject-based authentication and and Authorization Java_Authentication_and_Authorizatio authorization in a pluggable manner, decoupling applications from underlying Service n_Service security implementations. Java specific. Kerberos Kerberos http://en.wikipedia.org/wiki/Kerberos_ 1980's Created by MIT. Key aim is for trusted computers on an untrusted network. %28protocol%29 Both User and Server identity are handled. Centralized nature.
- 32. LDAP Lightweight http://en.wikipedia.org/wiki/Ldap 1980's Flexible data store. Originally an alternate protocol to access X.500 directory Directory Access services. This is a heavyweight with a complex data structure. Protocol NTLM NT Lan Manager http://en.wikipedia.org/wiki/NTLM 1980's Microsoft specific, weak encryption. While Kerberos has replaced NTLM as the default authentication protocol in an Active Directory based single sign-on scheme, NTLM is still widely used in situations where a domain controller is not available or is unreachable. OAuth Open Authorization http://en.wikipedia.org/wiki/Oauth 2006 OAuth lets you authorize one website – the consumer – to access your data from another website – the provider. Open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password. Worth watching as major players are investing in this, though there is some controversy to be explored. On April 23, 2009, a security flaw in the 1.0 protocol was announced. Facebook's new Graph API only supports OAuth 2.0. Oauth 2.0 is currently not final.
- 33. OpenID OpenID http://en.wikipedia.org/wiki/Openid 2005 Open Id gives you one login for multiple sites. An open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities. Providers include AOL, BBC,Facebook, Google,IBM, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!. PAM Pluggable http://en.wikipedia.org/wiki/ 1996 Fragmented, each implementation has gone in a different direction. The Authentication Pluggable_Authentication_Modules XSSO standard differs from both the original RFC, and from the Linux and Modules Sun APIs — from most other implementations. Despite PAM being part of the X/Open Single Sign-on (XSSO) standard, PAM on its own cannot implement Kerberos, the most common type of SSO used in Unix environments. SAML Security Assertion http://en.wikipedia.org/wiki/Saml 2002 SOAP-based standard for exchanging authentication and authorization data Markup Language between security domains. Bloated and is specified in terms of implementation details.
- 34. SASL" Simple http://en.wikipedia.org/wiki/ 1997 A framework for authentication and data security in Internet protocols. Authentication and Simple_Authentication_and_Security_L Provides a layer for authentication, on top of which an application protocol Security Layer ayer (e.g. XMPP) can operate. XML-based standard for exchanging authentication and authorization data between security domains SPNEGO Simple and http://en.wikipedia.org/wiki/SPNEGO 1996 SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication Protected GSSAPI extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and Negotiation provided single sign-on capability later marketed as Integrated Windows Mechanism Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. Spring FKA Acegi http://en.wikipedia.org/wiki/ 2004 (Originally released as Acegi) Client oriented framework supporting most Spring_Security protocols listed here, extensible to support any desired provider. Open, but specific to Java. SSPI Security Support http://en.wikipedia.org/wiki/SSPI 1995 An API API mechanism. Used to dynamically support access to various Provider Interface implementations. SSPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types.
Editor's Notes
- #2: \n\n
- #3: \n\n
- #4: \n\n
- #5: \n\n
- #6: \n\n
- #7: \n\n
- #8: \n\n
- #9: \n\n
- #10: \n\n
- #11: \n\n
- #12: \n\n
- #13: \n\n
- #14: \n\n
- #15: \n\n
- #16: \n\n
- #17: \n\n
- #18: \n\n
- #19: \n\n
- #20: \n\n
- #21: \n\n
- #22: \n\n
- #23: \n\n
- #24: \n\n
- #25: \n\n
- #26: \n\n
- #27: \n\n
- #28: \n\n
- #29: \n\n
- #30: \n\n
- #31: \n\n
- #32: \n\n
- #33: \n\n
- #34: \n\n
- #35: \n\n
- #36: \n\n