On a windows client, I have a service ticket for a web service (I can see the ticket with klist), and I am trying to write an
app to get the encoded service ticket and pass it on to the service (over HTTPS) so that it can be decrypted with the service key.
By using the klist example provide in the windows SDK (at \Microsoft SDKs\Windows\v7.0\Samples\security\authorization\klist) I am able to get a handle to the service ticket and get a KERB_EXTERNAL_TICKET structure that contains the
"EncodedTicket" which claims to be "A buffer that contains the Abstract Syntax Notation One (ASN.1)-encoded ticket."
Is this "EncodedTicket" the ticket that I want to pass onto my webserivce? Will it still be encrypted with the service key? How do I convert this buffer into a base64 string that I can pass on to my webservice?
Related
I have a micro service architecture which is working with Spring Zuul Gateway like below image.
My authentication service returns x-auth-token which is generated by spring authentication resolver and my token repository is redis. So users should use this service to authenticate and then use other services.
All my other services connect to same redis instance, so when they receive x-auth-token they can get user session details. I normally do the authorization by using #PreAuthorize annotation and then specifying the roles that can have access to controller or method.
Everything was so far working fine. Then I have been asked to add rate-limit functionality to this architecture. So for example a single user should not be able to make more than 1 POST request to specific api in books service. Also, if there were two book service instances, I would want to both be counted as single service when its about rate limiting.
I found tons of documents that referred me to this project called spring-cloud-zuul-ratelimit. Looking at the document I realized it does support redis as storage (good for me because I already have redis there) and it also supports handling rate limits per users.
The problem is that my zuul gateway knows nothing about the users! It has no access to redis storage. If I give it an access to redis, the problem might be solved but another one would rise: I'm gonna need to authorize user twice which takes more time and more redis traffic! once at gateway, once at each service (to check the roles and session details).
I'm looking for solutions that are most close to this list of needs:
Does not change my authentication method (I cant just switch to JWT or OAuth)
Does not duplicate authorization or redis queries
Balancing the requests between my services should not effect the rate limit. If each instance of service X is requested once for single user, then user has sent two requests.
Hopefully there is a good spring support for the answer.
I would prefer to be able to change the limits dynamically.
Zuul gateway rate limiter plugin basically tracks counter of user request based
on specific key (could be user's IP, some ID, request path or custom
combinations using custom key generator) given user requests during time interval. You can add it to the
existing zuul gateway application.
Let's say the ratelimiter-gateway is using "[clientIP][userID][method][path]" as request counter key stored in redis, e.g. "10.8.14.58:some#mail.com:POST:/books".
Here's some options I can think of:
If the client send some ID, you can use it directly as rate limiter
combination key.
If the user only send JWT token, you can verify it's claim to get the user
ID, assuming it's embedded in the token, using the same secret key to generate the JWT token in authn service
as Zuul gateway app properties (using OS env credentials, vault etc.). Or
you can just use the token as user ID.
Move the authorization logic to Spring zuul+ratelimiter service. It will
validate incoming request to author & books service, get the user ID from token. And then pass it as
another header, ex: "x-app-user-id", to the upstream services using
SpringBoot Filter. This way, the upstream services won't do any authn logic, it's just read the user id from
header. Communication between author & books service might be using the same header. This, of course, assuming the upstream servers won't be accessed
directly from the outside network.
It might also be good idea to use different redis instance as the ratelimit key storage.
As for dynamic config, based on it's documentation, you can adjust the rate limit config via
properties. I don't know if it can be adjusted dynamically at runtime via
Spring Cloud Config or other remote config implementations without the gateway
app needs to be restarted.
I want to build a local cilen-server which can transfer a file which will be encrypted by RSA algo and signed and the receiver will decrypt that file and will verify the signature. I found many tutorials on how to build a client server scenario in Python but to send the encrypted file I need to first convert the large file into smaller block and I don't know how to do that and after the receiving the encrypted file how I can setup the receiver that it will automatically decrypt the file using the keys that are exchanged between them at the time of setting up of the connection and verify the signature ? I am hoping to do this without using PyCrypto or any other built in libraries. Is there any tutorial which can help me understand on how to do this in python ? Or any structured way of solving this problem. Looking forward to suggestion. Thank you.
In a web application, how and where password encryption happens? For example, when a user register onto a web site, whether password set by the user is transmitted as the plain text and encryption is applied on server side and persisted in the database?
On the other hand, when HTTPS is used, data will be encrypted and sent across the wire. In this scenario, do we again apply any encryption algorithms upon incoming data and then persist in the database? I am also keen to learn which encryption algorithms will be used when data is transmitted over HTTPS.
In addition of martinstoeckli answer :
Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.
HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.
In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.
So you will get the plaintext of the data after the private key did its job.
At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.
When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.
if the hash is the exact same that the one in database, it means that the password entered by the user is correct.
HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password safely to the server, for you as a developer there is no work involved.
The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.
I am writing mirrorlink-server data services(CDB/SBP) module.
However, all the common APIs of Data Services (8 manager and 5 listener) seem to be useful only when server is in sink mode.
When I will get a GET, SET or SUBSCRIBE command from client, which common API is to be used to notify the server application about the request so that application can fill the object and response can be sent back to the client?
Otherwise, what data will server send as response if it can't notify to the server application?
The phone (server) can be data source for the head unit (client) but support is optional for both the phone and the head unit. There aren't many phones or head units that support it at this time.
The Common API does not (currently) define how to provide a data object as a source. This will be defined in a future revision as an additional service module.
I wanted to understand the mechanism of message encryption and signing used by NetTcpBinding when 'Windows' credentials are being used with Transport security. What if my AD uses NTLM instead of Kerberos? Will the messages still get signed and encrypted?If so, how?
Thanks in Advance,
Akshat
The short answer is that, yes, with NTLM authentication the messages will still get signed and encrypted if you have set the Transport security ProtectionLevel to EncryptAndSign (the default).
Here's an outline of how it works:
selecting Transport security
configures a
WindowsStreamSecurityBindingElement
in the channel stack. This inserts a
stream upgrade provider (see below)
in the NetTcpBinding, message
exchange between the client and
service happens within the .NET Message
Framing Protocol, which provides both
message framing and a mechanism for
client and service to negotiate
stream upgrades, the principal use of
which is to establish transport
security. If there is a stream
upgrade provider configured in the
channel stack, this will be invoked
during the Preamble stage of the
Framing Protocol when the client
opens the channel.
the upgrade
provider for
WindowsStreamSecurityBindingElement invokes an SSPI handshake between the client and the server using the SPNEGO security package: in the NetTcpBinding this will normally result in Kerberos being selected as the underlying security provider if available, but will choose NTLM if not.
if NTLM is the resulting authentication provider, the SSPI handshake will involve the three-leg NTLM challenge-response exchange of tokens described in the NTLM specification. This protocol includes a mechanism for exchanging keys for message signing and encryption. Once the SSPI handshake has generated an appropriate security context, thereafter all messages exchanged are signed and encrypted in the sending channel stack's stream upgrade provider, and decrypted and verified in the receiving channel stack's stream upgrade provider, in each case by using calls to the NTLM security provider via the abstracted SSPI message support functions.
This is a Microsoft propriety implementation and not properly documented and perhaps on purpose to prevent intruders to take advantage of it.
As far as I know, this usually happens at the TCP level with a special token is generated by the user's credentials and passed along with the request. This is intercepted by windows security channel and authenticated against the AD.
This token is used as a key (or as a basis for generating the key) for encrypting the communication.
I think if you look at the TCP packet, you must be able to see the token - although I have never seen it.
If you are doing this all in code then you can find out the options here (search for 'NetTcpBinding'). Transport security is via Windows builtin TLS.
The diagram here should be helpful for your scenario.