How do I do Authentication and Authorization?

Question

0.00/5 (No votes)

See more:

For most examples that I have read regarding communications (HTTP / TCP Sockets etc.) the examples are either very low level "hello world" types that exclude any real world authentication/authorization or are very high level (ASP) that use attributes or an existing framework that handles this.

I would like to know more about how this works in general. This is something that cuts across every platform and every system that communicates using a login.

So for me the evolution goes something like this:
1. Lets require a user name and password. Lets do this by having an admin area and a user area. The admin area can add/remove/approve new user account requests. This can be either a signup page or added manually by an admin.
2. OMG the user names and passwords are sent over the wire in plain text. Lets create a secure encrypted connection *before* sensitive information is passed.
3. Authentication is not enough, we need to authorize users to use certain features. Lets create user "groups" that we can add users to that allow them certain functionality.

I think that 1. and 3. above are handled by my application. I choose the mechanism for the user signup and admin modifies the privilege assignation if required other than default. I choose a way to store user information and their passwords (salted hash brown table or something along those lines)

I think the most confusing part is how to accomplish 2. above.

I hear things that I would assume would be classfied as "drops" in a good skrillex tune such as X509, HTTPS. But other than ending up at a Wikipedia article explaining what it is there is little I have found on the how to use it.

I get lost as soon as certificates are mentioned since how do I get/create and even more baffling integrate using one of these?

I do recall seeing some example awhile back that had a static byte array which stored the certificate and passed this around / compared to it to authenticate.

Lets say I have two pieces of hardware, one is a windows computer with a C#/WPF app and the other is a netduino/arduino/rpi/bbb/ etc. I have programmed communication between some of these in the past, and even got as far as step 1. and 3. above. I have up to this point not found anything that describes how I would add 2. above.

If both of my devices connect over the internet how do I securely pass the certificate/other authentication mechanism so both are trusted? The only way I see this as being totally secure is to have a USB/Serial connection physically between the two to have the certificate passed.

I did come across some systems that use a public/private key (isn't this HTTPS and X509?) and all communication is done using the public key with other functions using the private key. But again, how does this private key get on both devices without exposing it over a connection?

Maybe it has been luck of the draw for me but I either end up with a book/article that is meant for a PHD dissertation or is so basic that it would be useless in a real world application.

Can anyone provide any info/clues/reading lists as to how this works at about the 7500ft view instead of typical 30,000 or 10?

Posted 27-Apr-15 10:05am

GPIB99

Add a Solution

Comments

Florian Braun 27-Apr-15 16:22pm

maybe you should take a look how ssh works and login via certificate.

j snooze 27-Apr-15 17:42pm

Usually you can buy a certificate from a company. You can create your own, but it won't be trusted. Digicert is one such company, there are plenty of others. They will send you certificates to install on your host server. You have to provide them some information first. If you are using IIS, there is a server certificate icon. From there you make a certificate request. You pick the encryption type, how strong you want it. It spits out a file with a bunch of gobblety gook encrypted stuff your vendor of choice will need to create a certificate specifically for your site. Once they send the certificates to you or you download it from them, you can imported it through IIS into your site. I assume with apache there is something similar. Your site will then become trusted by browsers. They may also have a few more certificates of their own for you to install to prove they are a legit certificate provider. This has been my experience anyway. Don't know if it will help you...or if this is even what you are asking.

Sascha Lefèvre 27-Apr-15 23:07pm

This link might be a 7500ft view:
http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

barneyman · Accepted Answer · 2015-04-27T16:35:00

Solution 1

ok - some basics ...

X509 defines a digital certificate format and its contents

a digital certificate holds identification about its owner, and also holds the PUBLIC key component of PKI keypair - the PRIVATE component is held by the owner, securely, on their machine

PKI encryption/decryption can only be done by the keyPAIR - what the private encrypts, the public can decrypt, and vice versa - if i encrypt something with your public key, only your private key can decrypt it - the added advantage is that if you encrypt something with YOUR private key, (stay with me!) only your PUBLIC key can decrypt it - hence i know it came from you, this is how digital signatures work

During the HTTPS handshake, the SERVER passes you (the client) its x509 - from that, you glean its public key, so you (the client) can now encrypt for the server's eyes only - believing that the server IS who it SAYS it is is a function of the x509 certificate chain (simply, the server cert has been countersigned by, say, Thawte, who have done that checking, and have their root cert on your machine)

At this point the server can insist it wants a KNOWN cert from you, but most don't (in most situations, you need to know it's the Bank you're talking to, they don't care who they're talking to) - typically your browser generates a one-time self-signed cert, you exchange that and now you can both talk to each other securely

the https API you use (for the client) will normally handle all the one-time-gen'd stuff, so you don't need to care about that
At the server end, you'll need to provide a certificate and private key - you can generate your own, if it's a 'toy' app, the certificate chain is not really useful - you may have to copy the x509 you generate into the CLIENTS certificate store, so that it trusts it

(Certificate chain 'trust' work by walking up the chain of certs until you find one you implicitly 'trust' because you happen to have a copy on your machine, normally installed/updated by the OS install)

Posted 27-Apr-15 16:35pm

barneyman

Comments

GPIB99 29-Apr-15 12:28pm

From what I can tell so far this is the way all secure communication is done in general from web servers to IoT devices? However you do explain it well to get an idea of how it all works together, thanks!

Also from what I read is that SSL can be used for secure http, ftp, tcp communications, so I am guessing that HTTPS server could be used interchangeably with FTP server, TCP/IP server etc.?

X509 comes up often with secure connections and I have only seen it associated with SSL, is this the case or are there other SSL like secure communication schemes that can be used with this?

The type of encryption used is part of the X509 certificate? RSA AES etc is indicated as part of the certificate? This is what I understand currently.

From the description I see that that public key can decrypt anything from the server. So if someone gets the certificate and intercepts the traffic between the server and my device they could decrypt and read whatever I am trying to securely send from the server?

I see how the device can send its login information to the server from what you describe:
- Server passes x509 with public key
- Server requests x509 from device, generate and send self signed
- Now at this point the server sends data through SSL using the server private key which can be decrypted in the device from the received x509 with public key
- The device can send data securely to the server using the device self generated x509 private key and the server decrypts by using the device self generated x509 public key it received.

If someone gets the server x509 sent to the device and intercepts the self generated x509 sent to the server then don't they have both public keys and can decrypt any data that they intercept either way including login/password?

So the components of a secure connection:
- Certificates that describes the public key and type of encryption used (X509)
- The actual encryption implementation (RSA, AES etc)
- The transport that handles the handshake and exchange of encrypted data (HTTPS for example)

I feel however that this is not absolute and there are other ways to securely communicate. If you had a bunch of arduinos talking to each other over a local network in a mesh style with no central server then the above does not seem to fit well. I am sure there is still a certificate mechanism but I don't see how you can generate and distribute the certificates in this system in such a way that the public key cant be used to decrypt communication.

If all devices were pre-loaded with private keys and they were known among the set of all devices internally is how I imagine complete security would be attainable.

I have googled and read somewhat in depth a few dozen more articles and I keep ending up at either
- Security needs to be addressed, you need to communicate on a secure channel of which HTTPS/SSL/X509 is used in this specific article (um yes of course)
- Wikipedia page on X509 certificates (ok great, how does this fit in with everything and what are the alternatives?)

Am I searching for something that is not there, is in fact SSL and X509 THE ONLY option out there for secure communications? How does this apply to a mesh network of devices with no central server?

If you had an encryption library could you initiate secure communication between devices. I am guessing you would either need to pre-load keys or roll a X509/SSL type library to handle the certificate authentication/passing.

Lets say that I would like to learn more about encryption, authentication and authorization. Is it plausible to start off implementing secure communication between two serial ports and then progressing up to something like HTTP/TCP/FTP?

barneyman 29-Apr-15 22:58pm

- SSL is just the negotiation of a 'secure tunnel' through which any protocol can travel
- x509 is not peculiar to SSL, that's where it's most widely used, x509 is also used in code-signing for instance
- the key TYPE is defined in the x509 - it's intended use, and algorithm it's good for ##
- you misunderstand - each sender encrypts with the OTHER'S public key, the server is encrypting using the temp public key you generated, you are encrypting with the servers public, a MitM attack requires knowledge of one/both PRIVATE keys
- you need to understand the above point and the implications - the private key never leaves the owner

PKI/SSL is a very big hammer to be wielding in a arduino environment - i'd suggest you look for alternative approaches - your primary problem is key exchange (for symmetric encryption)

## asymetric (PKI) encryption is VERY slow, so typically what happens in the credential/key-exchange/message-exchange phase is a random symmetric key is generated, THAT latter key is used to encrypt the data (because symmetric encryption is very fast), the symmetric key is encrypted using the asymmetric encryptor and handed over

barneyman 29-Apr-15 23:17pm

one example of pseudo-encryption, that MAY be useful, but is by no means truly secure is something like ...

Implement the mersenne twister (or similar RNG algo) on the arduino - during commissioning for a particular 'site' all devices store the same random number in the nvram - this number represents the seed number for the RNG algo - when any device on the same 'site' wants to send, the first 2 bytes are a random number, this represents the offset into the RNG sequence that both the sender and receiver need to align to - then you simply continue along the RNG sequence XOR'ing with your data as a one-time-pad analog

you get inferred authentication (because the nvram number has to match within the same site) and encryption

*not foolproof by ANY means, and can be compromised by getting the site number, but may be enough for your needs*

GPIB99 30-Apr-15 10:43am

Interesting, this is making more sense and gives me a direction to further research. Thanks to all for the information.

"PKI/SSL is a very big hammer to be wielding in a arduino environment "

"## asymetric (PKI) encryption is VERY slow, so typically what happens in the credential/key-exchange/message-exchange phase is a random symmetric key is generated, THAT latter key is used to encrypt the data (because symmetric encryption is very fast), the symmetric key is encrypted using the asymmetric encryptor and handed over"

This means though I will still need to framework in place for PKI/SSL to hand over the key? (IF I do not pre-load a private key into all site devices)

As a side note I heard one embedded IoT system that referenced x509 used for its security, I am guessing that this may then be what you describe. It uses the x509 to establish a secure SSL connection, hands over a symmetric key and then continues with that?

I wish there was a book or something that described "Here are the current security schemes used, and here are the heavyweight central server methods and here are the alternatives as you travel down the device capabilities from something like a RPi to a Arduino"

barneyman 30-Apr-15 20:45pm

i don't think the arduino family has either the stones or memory to handle PKI/SSL - the rpi has OS suppport for it

GPIB99 1-May-15 9:55am

I see from a reference setup that I found:
Application: SSL/TLS / WebSocket
Authentication: X.509 / RSA-2048
Encryption: AES128
API: REST

Micro: ARM Cortex M3

SO based on all the feedback and understanding more about what X.509/SSL/TLS is then I think this is the direction I am going to head in for secure communications from an embedded system.

Also from what I understand is that if you are using an arduino or other low resource chip is that some form of encryption is available (google) but secure communications would definitely be handled differently.

So either way as part of deploying numerous end-points of these devices there would have to be a procedure to configure a known address or other way of identifying them on whatever the end network is. So if using very low resource devices the key and address can be setup (with the caveats as you mentioned above) or with more robust devices just a known address can be setup with the communication handled the SSL/TLS x509 way.

As an aside after pondering this for awhile, since communication is just a stream of bits and the x509 SSL describes the process to create a secure channel then couldn't this technically be applied to ANY connection including something like a serial port?

barneyman 2-May-15 9:13am

yes - pki/x509 are about key exchange for streaming (normally) encryption .. it could be used for anything