|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
基于令牌的身份验证是安全的,但不能免受攻击。了解如何更好地保护您的组织。
Organizations are increasingly turning to token-based authentication to secure their systems. But as this technology becomes more prevalent, so does the need to understand the vulnerabilities that come with it.
组织越来越多地转向基于令牌的身份验证来保护其系统。但随着这项技术变得越来越普遍,了解它所带来的漏洞的需求也随之增加。
Dr. Nestori Syynimaa, Senior Principal Security Researcher at Secureworks and developer of the AADInternals toolkit, is at the forefront of exploring these risks. As a teaser of his upcoming Live! 360 session (being held in Orlando, Fla. Nov. 17-22), titled "Exploiting Token Based Authentication: Attacking and Defending Identities in the 2020s," Redmond spoke with Syynimaa about the fundamentals of token-based authentication, common techniques adversaries use to exploit it, and best practices for securing cryptographic secrets used in the process.
Secureworks 的高级首席安全研究员兼 AADInternals 工具包的开发者 Nestori Syynimaa 博士处于探索这些风险的最前沿。作为他即将推出的 Live! 的预告片! 360 度会议(11 月 17 日至 22 日在佛罗里达州奥兰多举行),题为“利用基于令牌的身份验证:2020 年代的攻击和防御身份”,Redmond 与 Syynimaa 讨论了基于令牌的身份验证的基础知识、对手使用的常见技术利用它,以及保护该过程中使用的加密秘密的最佳实践。
And for more from Syynimaa, you'll won't want to miss his upcoming Live! 360 session, where he promises to equip IT pros with the practical skills needed to detect and defend against token-based authentication exploits. Register by Sept. 27 and save $400!
如需了解 Syynimaa 的更多信息,您一定不想错过他即将举行的现场直播! 360 会议中,他承诺为 IT 专业人员提供检测和防御基于令牌的身份验证漏洞所需的实用技能。 9 月 27 日之前注册可节省 400 美元!
Redmond: Can you briefly explain the fundamental principles of token-based authentication and its advantages over traditional username and password methods?
雷蒙德:您能否简要解释一下基于令牌的身份验证的基本原理及其相对于传统用户名和密码方法的优势?
Syynimaa: In token-based authentication, the roles of Identity Provider (IdP) and Service Provider (SP) are separated. The proof-of-identity (like username and password) are only sent to IdP (like Entra ID). When consuming services, only a token is sent to the SP (like salesforce) over the internet instead of users' credentials.
Syynimaa:在基于令牌的身份验证中,身份提供商 (IdP) 和服务提供商 (SP) 的角色是分离的。身份证明(如用户名和密码)仅发送给 IdP(如 Entra ID)。使用服务时,仅通过互联网向 SP(如 salesforce)发送令牌,而不是用户的凭据。
One of the main benefits of the separated roles of IdP and SP is that it allows users to sign-in to IdP once and then access multiple SPs (single-sign-on).
IdP 和 SP 角色分离的主要好处之一是,它允许用户登录 IdP 一次,然后访问多个 SP(单点登录)。
What are the most common techniques adversaries use to exploit token-based authentication?
攻击者最常使用哪些技术来利用基于令牌的身份验证?
There are two common techniques: stealing the tokens and stealing the token signing secrets. The former is easier but gives access to a single user for a limited time, whereas the latter is harder but gives permanent access to the whole organization.
有两种常见的技术:窃取令牌和窃取令牌签名秘密。前者更容易,但允许单个用户在有限的时间内访问,而后者更难,但允许整个组织永久访问。
What are some effective methods to detect token-replay and token forging attacks in real-time?
有哪些有效的方法可以实时检测令牌重放和令牌伪造攻击?
First, the prerequisite for all detections is adequate logging in both IdP and SP ends. Second, as detection is based on finding discrepancies between IdP and SP logs, access to both logs is required.
首先,所有检测的前提是 IdP 和 SP 端都有足够的日志记录。其次,由于检测是基于查找 IdP 和 SP 日志之间的差异,因此需要访问这两种日志。
What are one or two best practices for securing cryptographic secrets used in token-based authentication?
用于保护基于令牌的身份验证中使用的加密秘密的一两个最佳实践是什么?
There is no silver bullet to protect cryptographic secrets — you just need to follow hardening instructions of each involved system. Generally, Hardware Security Module (HSM) will protect cryptographic keys from stealing, if your IdP supports that.
保护加密秘密没有灵丹妙药——您只需要遵循每个相关系统的强化说明即可。一般来说,如果您的 IdP 支持,硬件安全模块 (HSM) 将保护加密密钥免遭窃取。
How do different implementations of token-based authentication, such as Kerberos, SAML and OAuth, vary in terms of security vulnerabilities?
基于令牌的身份验证的不同实现(例如 Kerberos、SAML 和 OAuth)在安全漏洞方面有何不同?
The fundamentals of all implementations are the same: trust is based on tokens that are cryptographically signed (or encrypted) by a trusted party.
所有实现的基本原理都是相同的:信任基于由受信任方加密签名(或加密)的令牌。
What should participants expect from the demo-packed session, and what practical skills will they gain?
参与者应该从演示会议中期待什么?他们将获得哪些实用技能?
First, I will show demos of both token-based authentication attacks. That allows participants to learn how the attacks in practice. Second, I will share best practices on how to protect the environments from attacks.
首先,我将展示两种基于令牌的身份验证攻击的演示。这使得参与者能够在实践中了解如何进行攻击。其次,我将分享有关如何保护环境免受攻击的最佳实践。
What resources can you point for attendees to learn more about token-based authentication and prepare for your session?
您可以为与会者提供哪些资源来了解有关基于令牌的身份验证的更多信息并为您的会议做好准备?
There are no prerequisites to attend the session (besides general IT knowledge which our participants typically have). Understanding technical details of their own environment eases participants to recognize what is relevant to them.
参加会议没有任何先决条件(除了我们的参与者通常具备的一般 IT 知识)。了解自己环境的技术细节可以帮助参与者轻松识别与他们相关的内容。
免责声明:info@kdj.com
所提供的信息并非交易建议。根据本文提供的信息进行的任何投资,kdj.com不承担任何责任。加密货币具有高波动性,强烈建议您深入研究后,谨慎投资!
如您认为本网站上使用的内容侵犯了您的版权,请立即联系我们(info@kdj.com),我们将及时删除。
-
- 美联储降息后,人工智能驱动的代币行业激增,比特币和以太坊蓬勃发展
- 2024-09-24 08:15:02
- 比特币和以太币是市值最大的两种加密货币,在美联储最近降息的提振下,周一上午表现强劲。
-
- 比特币创造者中本聪在 14 年前就预见到了 BTC 在日常支付方面的潜力,当时它的估值为 0.07 美元
- 2024-09-24 08:15:02
- 在 14 年前的一份声明中,化名的比特币创造者中本聪强调了比特币在日常支付方面的潜力。
-
- ETFSwap (ETFS) 与 Meme 币:2024 年哪个投资更明智?
- 2024-09-24 08:15:02
- 模因币和实用代币之间的竞争正在进行中。随着 2024 年的到来和 2025 年的临近,投资者正在权衡他们的选择
-
- Bonk Inu (BONK) 宣布后即将创下历史先例
- 2024-09-24 08:15:02
- 根据我们所掌握的信息,股票代码将是相同的(BONK),并且可能会在今年年底宣布推出。
-
- 中国禁令后比特币算力转移到美国
- 2024-09-24 08:15:02
- 正如 Ki Young Ju 指出的那样,比特币挖矿活动正在转移到美国,尽管中国矿商仍然占据主导地位。
-
- 2023 年单射 (INJ) 价格预测 – INJ 会达到 29 美元峰值吗?
- 2024-09-24 08:15:02
- 过去一周,Injective [INJ] 开始大幅上涨,从交易通道下限反弹后上涨 18%。
-
- WATCoin挖矿活动在Bitget的PoolX平台启动
- 2024-09-24 08:15:02
- 埃里温 (CoinChapter.com) — Bitget 于 2024 年 9 月 23 日在其交易平台上列出了 WATCoin (WAT)。这一新增功能使用户能够锁定
-
- 索取 RON 或永远后悔!
- 2024-09-24 08:15:02
- 如何获得 Ronin 空投资格:快速简便指南
-
- 领取 $BOBO 并成为加密货币百万富翁!
- 2024-09-24 08:15:02
- BNB使者。听。分享。 🔸代币空投:BOBO🔸持续时间:6分钟🔸初始投资:零🔸预期收益:超过3400$+开始