You are previewing Identity and Data Security for Web Development.
O'Reilly logo
Identity and Data Security for Web Development

Book Description

Developers, designers, engineers, and creators can no longer afford to pass responsibility for identity and data security onto others. Web developers who don’t understand how to obscure data in transmission, for instance, can open security flaws on a site without realizing it. With this practical guide, you’ll learn how and why everyone working on a system needs to ensure that users and data are protected. Authors Jonathan LeBlanc and Tim Messerschmidt provide a deep dive into the concepts, technology, and programming methodologies necessary to build a secure interface for data and identity—without compromising usability.

Table of Contents

  1. Preface
    1. Conventions Used in This Book
    2. Safari® Books Online
    3. How to Contact Us
    4. Acknowledgments
      1. Jonathan
      2. Tim
  2. 1. Introduction
    1. The Problems with Current Security Models
      1. Poor Password Choices
      2. Security over Usability
      3. Improper Data Encryption
    2. The Weakest Link: Human Beings
      1. Single Sign-on
    3. Understanding Entropy in Password Security
      1. Entropy in Randomly Selected Passwords
      2. Entropy in Human-Selected Passwords
    4. Breaking Down System Usage of a Username and Password
    5. Securing Our Current Standards for Identity
      1. Good and Bad Security Algorithms
    6. What Data Should Be Protected?
      1. Account Recovery Mechanisms and Social Engineering
      2. The Problem with Security Questions
    7. Next Up
  3. 2. Password Encryption, Hashing, and Salting
    1. Data at Rest Versus Data in Motion
      1. Data at Rest
      2. Data in Motion
    2. Password Attack Vectors
      1. Brute-Force Attack
      2. Creating a CAPTCHA with reCAPTCHA
      3. Dictionary Attacks
      4. Reverse Lookup Tables
      5. Rainbow Tables
    3. Salting
      1. Generating a Random Salt
      2. Salt Reuse
      3. Salt Length
      4. Where to Store the Salt
    4. Peppering
    5. Choosing the Right Password Hashing Function
      1. bcrypt
      2. PBKDF2
      3. scrypt
      4. Validating a Password Against a Hashed Value
    6. Key Stretching
    7. Recomputing Hashes
    8. Next Steps
  4. 3. Identity Security Fundamentals
    1. Understanding Various Identity Types
      1. Social Identity
      2. Concrete Identity
      3. Thin Identity
    2. Enhancing User Experience by Utilizing Identity
    3. Introducing Trust Zones
    4. Browser Fingerprinting
      1. Configurations More Resistant to Browser Fingerprinting
      2. Identifiable Browser Information
      3. Capturing Browser Details
    5. Location-Based Tracking
    6. Device Fingerprinting (Phone/Tablet)
    7. Device Fingerprinting (Bluetooth Paired Devices)
    8. Implementing Identity
  5. 4. Securing the Login with OAuth 2 and OpenID Connect
    1. The Difference Between Authentication and Authorization
      1. Authentication
      2. Authorization
    2. What Are OAuth and OpenID Connect?
      1. Introducing OAuth 2.0
      2. Handling Authorization with OAuth 2.0
      3. Using the Bearer Token
      4. Authorization and Authentication with OpenID Connect
    3. Security Considerations Between OAuth 2 and OAuth 1.0a
    4. Building an OAuth 2.0 Server
    5. Creating the Express Application
    6. Setting Up Our Server’s Database
      1. Generating Authorization Codes and Tokens
      2. The Authorization Endpoint
      3. Handling a Token’s Lifetime
      4. Handling Resource Requests
      5. Using Refresh Tokens
      6. Handling Errors
    7. Adding OpenID Connect Functionality to the Server
      1. The ID Token Schema
      2. Modifying the Authorization Endpoint
      3. Adjusting the Token Endpoint
      4. The UserInfo Endpoint
      5. Session Management with OpenID Connect
    8. Building an OAuth 2 Client
      1. Using Authorization Codes
      2. Authorization Using Resource Owner Credentials or Client Credentials
    9. Adding OpenID Connect Functionality to the Client
      1. The OpenID Connect Basic Flow
    10. Beyond OAuth 2.0 and OpenID Connect
  6. 5. Alternate Methods of Identification
    1. Device and Browser Fingerprinting
    2. Two-Factor Authentication and n-Factor Authentication
      1. n-Factor Authentication
      2. One-Time Passwords
      3. Implementing Two-Factor Authentication with Authy
    3. Biometrics as Username Instead of Password
    4. How to Rate Biometric Effectiveness
      1. Face Recognition
      2. Retina and Iris Scanning
      3. Vein Recognition
    5. Upcoming Standards
      1. FIDO Alliance
      2. Oz
      3. The Blockchain
      4. Wrap Up
  7. 6. Hardening Web Applications
    1. Securing Sessions
      1. Types of Sessions
      2. How Express Handles Sessions
    2. Handling XSS
      1. The Three Types of XSS Attacks
      2. Testing XSS Protection Mechanisms
      3. Conclusion
    3. CSRF Attacks
      1. Handling CSRF with csurf
    4. Valuable Resources for Node
      1. Lusca
      2. Helmet
      3. Node Security Project
    5. Other Mitigation Techniques
    6. Our Findings
  8. 7. Data Transmission Security
    1. SSL/TLS
      1. Certificate Validation Types and Authorities
      2. Creating Your Own Self-Signed Certificate for Testing
    2. Asyncronous Cryptography
      1. Use Case
      2. Implementation Example
      3. Advantages, Disadvantages, and Uses of Aynchronous Cryptography
    3. Synchronous Cryptography
      1. Initialization Vector
      2. Padding
      3. Block Cipher Modes of Operation
      4. Using AES with CTR Encryption Mode
      5. Using AES with with GCM Authenticated Encryption Mode
      6. Advantages, Disadvantages, and Uses of Synchronous Cryptography
  9. A. GitHub Repositories
  10. B. Technical Preconditions and Requirements
    1. On ES6/ES2015
    2. Setting Up Your Node.js Environment
    3. Managing Node Versions or Alternative Installations
    4. Installing the Express Generator
    5. Setting Up Express
    6. Creating and Maintaining Your package.json File
    7. Application Configuration
    8. Working with JSON/URL-Encoded Bodies in Express
  11. Glossary
  12. Index