第1页 / 共203页
第2页 / 共203页
第3页 / 共203页
第4页 / 共203页
第5页 / 共203页
第6页 / 共203页
第7页 / 共203页
第8页 / 共203页
Identity and Data Security for Web Development Best Practices 无水....pdf
Cover
Copyright
Table of Contents
Preface
Conventions Used in This Book
Safari® Books Online
How to Contact Us
Acknowledgments
Jonathan
Tim
1. Introduction
The Problems with Current Security Models
Poor Password Choices
Security over Usability
Improper Data Encryption
The Weakest Link: Human Beings
Single Sign-on
Understanding Entropy in Password Security
Entropy in Randomly Selected Passwords
Entropy in Human-Selected Passwords
Breaking Down System Usage of a Username and Password
Securing Our Current Standards for Identity
Good and Bad Security Algorithms
What Data Should Be Protected?
Account Recovery Mechanisms and Social Engineering
The Problem with Security Questions
Next Up
2. Password Encryption, Hashing, and Salting
Data at Rest Versus Data in Motion
Data at Rest
Data in Motion
Password Attack Vectors
Brute-Force Attack
Creating a CAPTCHA with reCAPTCHA
Dictionary Attacks
Reverse Lookup Tables
Rainbow Tables
Salting
Generating a Random Salt
Salt Reuse
Salt Length
Where to Store the Salt
Peppering
Choosing the Right Password Hashing Function
bcrypt
PBKDF2
scrypt
Validating a Password Against a Hashed Value
Key Stretching
Recomputing Hashes
Next Steps
3. Identity Security Fundamentals
Understanding Various Identity Types
Social Identity
Concrete Identity
Thin Identity
Enhancing User Experience by Utilizing Identity
Introducing Trust Zones
Browser Fingerprinting
Configurations More Resistant to Browser Fingerprinting
Identifiable Browser Information
Capturing Browser Details
Location-Based Tracking
Device Fingerprinting (Phone/Tablet)
Device Fingerprinting (Bluetooth Paired Devices)
Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
The Difference Between Authentication and Authorization
Authentication
Authorization
What Are OAuth and OpenID Connect?
Introducing OAuth 2.0
Handling Authorization with OAuth 2.0
Using the Bearer Token
Authorization and Authentication with OpenID Connect
Security Considerations Between OAuth 2 and OAuth 1.0a
Building an OAuth 2.0 Server
Creating the Express Application
Setting Up Our Server's Database
Generating Authorization Codes and Tokens
The Authorization Endpoint
Handling a Token's Lifetime
Handling Resource Requests
Using Refresh Tokens
Handling Errors
Adding OpenID Connect Functionality to the Server
The ID Token Schema
Modifying the Authorization Endpoint
Adjusting the Token Endpoint
The UserInfo Endpoint
Session Management with OpenID Connect
Building an OAuth 2 Client
Using Authorization Codes
Authorization Using Resource Owner Credentials or Client Credentials
Adding OpenID Connect Functionality to the Client
The OpenID Connect Basic Flow
Beyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
Device and Browser Fingerprinting
Two-Factor Authentication and n-Factor Authentication
n-Factor Authentication
One-Time Passwords
Implementing Two-Factor Authentication with Authy
Biometrics as Username Instead of Password
How to Rate Biometric Effectiveness
Face Recognition
Retina and Iris Scanning
Vein Recognition
Upcoming Standards
FIDO Alliance
Oz
The Blockchain
Wrap Up
6. Hardening Web Applications
Securing Sessions
Types of Sessions
How Express Handles Sessions
Handling XSS
The Three Types of XSS Attacks
Testing XSS Protection Mechanisms
Conclusion
CSRF Attacks
Handling CSRF with csurf
Valuable Resources for Node
Lusca
Helmet
Node Security Project
Other Mitigation Techniques
Our Findings
7. Data Transmission Security
SSL/TLS
Certificate Validation Types and Authorities
Creating Your Own Self-Signed Certificate for Testing
Asyncronous Cryptography
Use Case
Implementation Example
Advantages, Disadvantages, and Uses of Aynchronous Cryptography
Synchronous Cryptography
Initialization Vector
Padding
Block Cipher Modes of Operation
Using AES with CTR Encryption Mode
Using AES with with GCM Authenticated Encryption Mode
Advantages, Disadvantages, and Uses of Synchronous Cryptography
Appendix A. GitHub Repositories
Appendix B. Technical Preconditions and Requirements
On ES6/ES2015
Setting Up Your Node.js Environment
Managing Node Versions or Alternative Installations
Installing the Express Generator
Setting Up Express
Creating and Maintaining Your package.json File
Application Configuration
Working with JSON/URL-Encoded Bodies in Express
Glossary
Index
About the Authors
Colophon
Identity &
Data Security
for Web
Development
BEST PRACTICES
Jonathan LeBlanc &
Tim Messerschmidt
Identity and Data Security
for Web Development
Best Practices
Jonathan LeBlanc and Tim Messerschmidt
Beijing
Beijing
Boston
Boston
Farnham Sebastopol
Farnham Sebastopol
Tokyo
Tokyo
Identity and Data Security for Web Development
by Jonathan LeBlanc and Tim Messerschmidt
Copyright © 2016 Jonathan LeBlanc, Tim Messerschmidt. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are
also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/
institutional sales department: 800-998-9938 or corporate@oreilly.com.
Editor: Meg Foley
Production Editor: Colleen Cole
Copyeditor: Kim Cofer
Proofreader: Sharon Wilkey
June 2016:
First Edition
Revision History for the First Edition
2016-06-03: First Release
Indexer: WordCo Indexing Services, Inc.
Interior Designer: David Futato
Cover Designer: Karen Montgomery
Illustrator: Rebecca Demarest
See http://oreilly.com/catalog/errata.csp?isbn=9781491937013 for release details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Identity and Data Security for Web
Development, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc.
While the publisher and the authors have used good faith efforts to ensure that the information and
instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility
for errors or omissions, including without limitation responsibility for damages resulting from the use of
or reliance on this work. Use of the information and instructions contained in this work is at your own
risk. If any code samples or other technology this work contains or describes is subject to open source
licenses or the intellectual property rights of others, it is your responsibility to ensure that your use
thereof complies with such licenses and/or rights.
978-1-491-93701-3
[LSI]
Table of Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1.
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Problems with Current Security Models 1
Poor Password Choices 3
Security over Usability 4
Improper Data Encryption 4
The Weakest Link: Human Beings 5
Single Sign-on 6
Understanding Entropy in Password Security 7
Entropy in Randomly Selected Passwords 8
Entropy in Human-Selected Passwords 9
Breaking Down System Usage of a Username and Password 11
Securing Our Current Standards for Identity 12
Good and Bad Security Algorithms 12
What Data Should Be Protected? 13
Account Recovery Mechanisms and Social Engineering 13
The Problem with Security Questions 14
Next Up 15
2. Password Encryption, Hashing, and Salting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
Data at Rest Versus Data in Motion 17
Data at Rest 18
Data in Motion 19
Password Attack Vectors 20
Brute-Force Attack 21
Creating a CAPTCHA with reCAPTCHA 22
Dictionary Attacks 28
iii
Reverse Lookup Tables 29
Rainbow Tables 30
Salting 32
Generating a Random Salt 33
Salt Reuse 33
Salt Length 34
Where to Store the Salt 34
Peppering 34
Choosing the Right Password Hashing Function 35
bcrypt 36
PBKDF2 37
scrypt 38
Validating a Password Against a Hashed Value 40
Key Stretching 41
Recomputing Hashes 41
Next Steps 42
3.
Identity Security Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Understanding Various Identity Types 43
Social Identity 44
Concrete Identity 44
Thin Identity 45
Enhancing User Experience by Utilizing Identity 45
Introducing Trust Zones 46
Browser Fingerprinting 47
Configurations More Resistant to Browser Fingerprinting 48
Identifiable Browser Information 49
Capturing Browser Details 50
Location-Based Tracking 52
Device Fingerprinting (Phone/Tablet) 54
Device Fingerprinting (Bluetooth Paired Devices) 55
Implementing Identity 56
4. Securing the Login with
OAuth 2 and OpenID Connect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
The Difference Between Authentication and Authorization 57
Authentication 58
Authorization 58
What Are OAuth and OpenID Connect? 58
Introducing OAuth 2.0 61
Handling Authorization with OAuth 2.0 63
Using the Bearer Token 65
iv
|
Table of Contents
Authorization and Authentication with OpenID Connect 66
Security Considerations Between OAuth 2 and OAuth 1.0a 67
Building an OAuth 2.0 Server 68
Creating the Express Application 68
Setting Up Our Server’s Database 69
Generating Authorization Codes and Tokens 69
The Authorization Endpoint 72
Handling a Token’s Lifetime 75
Handling Resource Requests 78
Using Refresh Tokens 81
Handling Errors 82
Adding OpenID Connect Functionality to the Server 86
The ID Token Schema 87
Modifying the Authorization Endpoint 88
Adjusting the Token Endpoint 89
The UserInfo Endpoint 91
Session Management with OpenID Connect 91
Building an OAuth 2 Client 92
Using Authorization Codes 92
Authorization Using Resource Owner Credentials or Client Credentials 95
Adding OpenID Connect Functionality to the Client 96
The OpenID Connect Basic Flow 97
Beyond OAuth 2.0 and OpenID Connect 98
5. Alternate Methods of Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Device and Browser Fingerprinting 101
Two-Factor Authentication and n-Factor Authentication 102
n-Factor Authentication 102
One-Time Passwords 103
Implementing Two-Factor Authentication with Authy 106
Biometrics as Username Instead of Password 112
How to Rate Biometric Effectiveness 113
Face Recognition 114
Retina and Iris Scanning 114
Vein Recognition 115
Upcoming Standards 115
FIDO Alliance 116
Oz 117
The Blockchain 118
Wrap Up 118
Table of Contents
|
v
6. Hardening Web Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Securing Sessions 119
Types of Sessions 120
How Express Handles Sessions 121
Handling XSS 125
The Three Types of XSS Attacks 125
Testing XSS Protection Mechanisms 126
Conclusion 130
CSRF Attacks 130
Handling CSRF with csurf 131
Valuable Resources for Node 132
Lusca 132
Helmet 133
Node Security Project 133
Other Mitigation Techniques 134
Our Findings 135
7. Data Transmission Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
SSL/TLS 137
Certificate Validation Types and Authorities 139
Creating Your Own Self-Signed Certificate for Testing 141
Asyncronous Cryptography 148
Use Case 149
Implementation Example 151
Advantages, Disadvantages, and Uses of Aynchronous Cryptography 157
Synchronous Cryptography 158
Initialization Vector 159
Padding 160
Block Cipher Modes of Operation 162
Using AES with CTR Encryption Mode 164
Using AES with with GCM Authenticated Encryption Mode 166
Advantages, Disadvantages, and Uses of Synchronous Cryptography 168
A. GitHub Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
B. Technical Preconditions and Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
vi
|
Table of Contents
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
