It’s been a while since I asked this question, and I’m much more familiar with the cryptographic theory now, so here is the more modern approach: Reasoning Don’t use md5. Don’t use a single cycle of sha-family quick hashes. Quick hashes help attackers, so you don’t want that. Use a resource-intensive hash, like bcrypt, instead. … Read more
SSL is about “server identification” or “server AND client authentication (mutual authentication)”. In most cases only the server presents its server-certificate during the SSL handshake so that you could make sure that this really is the server you expect to connect to. In some cases the server also wants to verify that you really are … Read more
These are all good answers… I generally like to add a couple additional layers for my administrative sections. Although I’ve used a few variations on a theme, they generally include one of the following: Second level authentication: This could include client certificates (Ex. x509 certs), smart cards, cardspace, etc… Domain/IP restrictions: In this case, only … Read more
I had the same question as the question 1 here, and did some research myself recently, and my conclusion is that it is ok to not keep “client secret” a secret. The type of clients that do not keep confidentiality of client secret is called “public client” in the OAuth2 spec. The possibility of someone … Read more
As a first principle, if your API is consumed by your JS client, you have to assume, that it is public: A simple JS debugger puts an attacker into a position, where he can send a byte-for-byte identical request from a tool of his choice. That said, if I read your question correctly, this is … Read more
I’ve been playing with tokens for my application as well. While I’m not an expert by any means, I can share some of my experiences and thoughts on the matter. The point of JWTs is essentially integrity. It provides a mechanism for your server verify that the token that was provided to it is genuine … Read more
Use a random number generator designed for cryptography. Then base-64 encode the number. This is a C# example: var key = new byte[32]; using (var generator = RandomNumberGenerator.Create()) generator.GetBytes(key); string apiKey = Convert.ToBase64String(key);
The project is open source. I have not used it. But it’s using a documented algorithm (noted in the RFC listed on the open source project page), and the authenticator implementations support multiple accounts. The actual process is straightforward. The one time code is, essentially, a pseudo random number generator. A random number generator is … Read more
OpenID is not a ‘successor’ or ‘substitute’ for CAS, they’re different, in intent and in implementation. CAS centralizes authentication. Use it if you want all your (probably internal) applications to ask users to login to a single server (all applications are configured to point to a single CAS server). OpenID decentralizes authentication. Use it if … Read more
For storing passwords no fast hash function which include md5 and SHA1/2 (even when salted) is acceptable. You need to use a slow hash, typically in the form of a Key-Derivation-Function to slow down brute-force. PBKDF2 and bcrypt are popular choices. You should also use a random per user salt.