|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cryptocurrency News Articles
Mastering Token-Based Authentication Defense and Management
Sep 24, 2024 at 01:03 am
Token-based authentication is secure, but not immune to attack. Learn how you can better guard your organization.
Organizations are increasingly turning to token-based authentication to secure their systems. But as this technology becomes more prevalent, so does the need to understand the vulnerabilities that come with it.
Dr. Nestori Syynimaa, Senior Principal Security Researcher at Secureworks and developer of the AADInternals toolkit, is at the forefront of exploring these risks. As a teaser of his upcoming Live! 360 session (being held in Orlando, Fla. Nov. 17-22), titled "Exploiting Token Based Authentication: Attacking and Defending Identities in the 2020s," Redmond spoke with Syynimaa about the fundamentals of token-based authentication, common techniques adversaries use to exploit it, and best practices for securing cryptographic secrets used in the process.
And for more from Syynimaa, you'll won't want to miss his upcoming Live! 360 session, where he promises to equip IT pros with the practical skills needed to detect and defend against token-based authentication exploits. Register by Sept. 27 and save $400!
Redmond: Can you briefly explain the fundamental principles of token-based authentication and its advantages over traditional username and password methods?
Syynimaa: In token-based authentication, the roles of Identity Provider (IdP) and Service Provider (SP) are separated. The proof-of-identity (like username and password) are only sent to IdP (like Entra ID). When consuming services, only a token is sent to the SP (like salesforce) over the internet instead of users' credentials.
One of the main benefits of the separated roles of IdP and SP is that it allows users to sign-in to IdP once and then access multiple SPs (single-sign-on).
What are the most common techniques adversaries use to exploit token-based authentication?
There are two common techniques: stealing the tokens and stealing the token signing secrets. The former is easier but gives access to a single user for a limited time, whereas the latter is harder but gives permanent access to the whole organization.
What are some effective methods to detect token-replay and token forging attacks in real-time?
First, the prerequisite for all detections is adequate logging in both IdP and SP ends. Second, as detection is based on finding discrepancies between IdP and SP logs, access to both logs is required.
What are one or two best practices for securing cryptographic secrets used in token-based authentication?
There is no silver bullet to protect cryptographic secrets — you just need to follow hardening instructions of each involved system. Generally, Hardware Security Module (HSM) will protect cryptographic keys from stealing, if your IdP supports that.
How do different implementations of token-based authentication, such as Kerberos, SAML and OAuth, vary in terms of security vulnerabilities?
The fundamentals of all implementations are the same: trust is based on tokens that are cryptographically signed (or encrypted) by a trusted party.
What should participants expect from the demo-packed session, and what practical skills will they gain?
First, I will show demos of both token-based authentication attacks. That allows participants to learn how the attacks in practice. Second, I will share best practices on how to protect the environments from attacks.
What resources can you point for attendees to learn more about token-based authentication and prepare for your session?
There are no prerequisites to attend the session (besides general IT knowledge which our participants typically have). Understanding technical details of their own environment eases participants to recognize what is relevant to them.
Disclaimer:info@kdj.com
The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!
If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.
-
- Bitcoin and Ether Thrive as AI-Driven Token Sector Surges After Fed Rate Cut
- Sep 24, 2024 at 08:15 am
- Bitcoin and Ether, the two largest cryptocurrencies by market capitalization, were thriving on Monday morning, buoyed by the U.S. Federal Reserve's recent interest rate cut.
-
- Bitcoin Creator Satoshi Nakamoto Foresaw Potential of BTC for Everyday Payments 14 Years Ago, When It Was Valued at $0.07
- Sep 24, 2024 at 08:15 am
- In a statement made exactly 14 years ago, pseudonymous Bitcoin creator Satoshi Nakamoto highlighted the potential of Bitcoin for everyday payments.
-
- ETFSwap (ETFS) vs Meme Coins: Which Is the Smarter Investment in 2024?
- Sep 24, 2024 at 08:15 am
- The contest between meme coins and utility tokens is ongoing. As 2024 advances and 2025 approaches, investors are weighing their options
-
- Bonk Inu (BONK) Is on the Verge of Setting a Historical Precedent After It Was Announced
- Sep 24, 2024 at 08:15 am
- Based on the information privy to us, the ticker would be the same (BONK), and the launch could be announced by the end of the year.
-
- Bitcoin Hashrate Shifting To The US After China Ban
- Sep 24, 2024 at 08:15 am
- As Ki Young Ju notes, Bitcoin mining activity is shifting to the United States, though Chinese miners still dominate.
-
- Injective (INJ) Price Prediction 2023 – Will INJ Hit $29 Peak?
- Sep 24, 2024 at 08:15 am
- Over the past week, Injective [INJ] has embarked on a major rally, gaining 18% after rebounding from the lower bound of its trading channel.
-
- WATCoin Farming Event Begins on Bitget's PoolX Platform
- Sep 24, 2024 at 08:15 am
- YEREVAN (CoinChapter.com) — Bitget listed WATCoin (WAT) to its trading platform on Sep. 23, 2024. This addition enables users to lock in
-
- Claim $RON or Regret Forever!
- Sep 24, 2024 at 08:15 am
- How to be eligibile Ronin Airdrop: Quick And Easy Guide
-
- Claim $BOBO and Become a Crypto Millionaire!
- Sep 24, 2024 at 08:15 am
- BNB Emmissary. Listen. Share. 🔸Token Airdrop: BOBO🔸Duration: 6 min🔸Initial Investment: zero🔸Anticipated Earnings: more than 3400$+Begin