Videos

Question 1

What HTTP response message is returned with a ‘curl -I http://192.168.100.11/’ if the user is not logged in?

Answer 1

HTTP/1.1 401 Unauthorised

Question 2

What is the 401 (Unauthorised) response message used by the server for?

Answer 2

To challenge the authorisation of a user.

Question 3

What additional information must the server also add to its response?

Answer 3

What resource is requested to authorise the request.

Question 4

What header field must the response include?

Answer 4

WWW-Authenticate

Question 5

Give an example of a WWW-Authenticate header field.

Answer 5

WWW-Authenticate: Basic realm=”VM Realm”

Question 6

What does the WWW-Authenticate header field contain?

Answer 6

At least one challenge applicable to the resource requested.

Question 7

Explain the syntax shown in ‘WWW-Authenticate: Basic realm=”VM Realm”’

Answer 7

header-field: authentication-scheme secured-domain-for-which-authentication-is-required

Question 8

Can you provide username and password directly with curl?

Answer 8

Yes.
Using ‘curl -I -u user:hello http://192.168.100.11’.

Question 9

What HTTP response is returned if the user is authorised?

Answer 9

HTTP/1.1 200 OK

Question 10

Is the Basic authentication scheme a secure method of user authentication?

Answer 10

No.
The Basic authentication scheme is not a secure method of user authentication.

Question 11

Why does the Basic authentication scheme have poor protection?

Answer 11

There is no way to protect the entity that is transmitted in cleartext across the physical network used as a carrier.

Question 12

Why should Basic authentication NOT be used to protect sensitive or valuable information.

Answer 12

Because Basic authentication involves the cleartext transmission of passwords.

Question 13

How can Basic authentication be used to protect sensitive or valuable information?

Answer 13

With enhancements such as HTTPS.

Question 14

Where does the danger in using Basic authentication arise?

Answer 14

From naive users that frequently reuse a single password to avoid the task of maintaining multiple passwords.

Question 15

Why is reusing a single password frequently dangerous?

Answer 15

The threat is not only UNAUTHORISED ACCESS to documents on the server but also to any other resources on OTHER SYSTEMS that the user protects with the same password.

Question 16

HTTPS is an encrypted protocol. [T/F]

Answer 16

T

Question 17

What is the alternate approach to Basic authentication called?

Answer 17

HTTP Digest Access Authentication

Question 18

How does HTTP Digest Access Authentication differ to Basic Authentication?

Answer 18

Instead of passing a string containing the password
* Client submits H1: a hash of username:realm:password
* Use cryptography hash eg. SHA-256
* Server only needs to keep a copy of H1 for authorised users

Question 19

Why is HTTP Digest Access Authentication more secure than Basic Authentication?

Answer 19

It uses a cryptographic hash to encrypt username:realm:password rather than Base-64.
The cryptograph hash is NOT reversible.

Question 20

Give an example of a cryptographic hash.

Answer 20

SHA-256

Question 21

Where is the cryptographic hash passed?

Answer 21

HTTP header field.

Question 22

Why is HTTP Digest Access Authorisation not secure?

Answer 22

Vulnerable to dictionary attacks.

Question 23

What is a dictionary attack?

Answer 23

When an attacker exhausts passwords in dictionary until there is success.

Question 24

What kinds of passwords SHOULD HTTP Digest Access Authentication ONLY be used for?

Answer 24

Passwords that have a reasonable amount of entropy.
i.e. long password, lots of different characters.

Question 25

Can Digest Authentication be used over HTTP?

Answer 25

No. It SHOULD be over a secure channel like HTTPS.

Question 26

Digest Authentication provides a strong authentication. [T/F]

Answer 26

F

Question 27

Digest Authentication does not provide a strong authentication. [T/F]

Answer 27

T

Question 28

In the physical world, organisations have processes to check user’s identity and issue “identity cards”. Give two examples of identity checks.

Answer 28

* Government passport/driving licence * Student card

Question 29

In the online world, where must users provide their identity?

Answer 29

* on Facebook/Google/etc * with their employers/university

Question 30

What are the client-side limitations of HTTP Simple Access Authentication?

Answer 30

* Credentials passed in plain text (vulnerable to dictionary attacks) * No checking that this is indeed the user * No time limit * No specific purpose

Question 31

What are the server-side limitations of HTTP Simple Access Authentication?

Answer 31

* Makes authorization decision * Challenge with the management of sensitive information * Compliance with regulations * To be repeated with every service

Question 32

In the motivating printing scenario, what must the end-user not share with the printing service?

Answer 32

Username and password.

Question 33

What must the end-user do instead?

Answer 33

Authenticate directly with a server trusted by the photo-sharing service which issues delegation-specific credentials to the printing service.

Question 34

What is the printing service in this scenario? (terminology)

Answer 34

App/Client

Question 35

What are the photos in this scenario? (terminology)

Answer 35

Resources

Question 36

What is the Photo sharing service in this scenario? (terminology)

Answer 36

Resource server

Question 37

What is the end-user in this scenario? (terminology)

Answer 37

Resource owner

Question 38

What are the delegation credentials in this scenario? (terminology)

Answer 38

Access token

Question 39

What is OAuth 2.0?

Answer 39

A standard protocol for authorisation.

Question 40

What is the aim of OAuth 2.0?

Answer 40

To provide specific authorisation flows for web applications, desktop applications, mobile phones, and living room devices.

Question 41

What is OAuth developed within?

Answer 41

The IETF OAuth Working Group.

Question 42

What is the other standard protocol used for authorisation?

Answer 42

OpenID Connect

Question 43

OpenID Connect 1.0 is an ______ layer on top of ______.

Answer 43

identity OAuth 2.0.

Question 44

What is the aim of OpenID Connect?

Answer 44

1) To allow Clients to verify the identity of the End-User based on the authentication performed by an Authorisation Server. 2) To obtain basic profile information about the End-User in an interoperable and REST-like manner

Question 45

What is an ID token similar to?

Answer 45

An identity card.

Question 46

What format is an ID token in?

Answer 46

A standard JWT format

Question 47

What does the ID token consist of when decoded?

Answer 47

1) Header 2) Payload 3) Verify Signature

Question 48

What is an ID token signed by?

Answer 48

The OpenID Provider (OP)

Question 49

How can an application obtain an ID token?

Answer 49

By redirecting the user to their OpenId Provider with an authentication request.

Question 50

What does JWT stand for?

Answer 50

JSON Web Token

Question 51

The ID Token asserts the _________ of the user with the _____ field in the payload.

Answer 51

identity sub

Question 52

The ID Token specifies the _______ ________ with the ______ field in the payload.

Answer 52

issuing authority iss

Question 53

An ID token is generated for a particular _________________ that is specified with the _____ field in the payload.

Answer 53

client/audience aud

Question 54

What is a nonce in cryptography?

Answer 54

An arbitrary Number that can be used only ONCE in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.

Question 55

An ID token may contain a _____ specified in the ______ field in the payload.

Answer 55

nonce nonce

Question 56

An ID token has an ______ ( ______ field in the payload) and ________ ______ ( ____ field in the payload).

Answer 56

issue iat expiration time exp

Question 57

An ID token may include additional requested details about the subject. Give two examples.

Answer 57

Name Email address

Question 58

Why is an ID token digitally signed?

Answer 58

So it can be verified by the intended recipients.

Question 59

Briefly describe the Auth 2.0 authorisation framework process.

Answer 59

1) The Client Application requests an Access Token from the Authorisation Server. 2) The Authorisation Server asks the user for permission to grant access to the Client Application. 3) The user grants permission. 4) The Authorisation Server generates an Access Token and returns it to the Client Application (with issue). 5) The Client Application requests access to a resource from the Resource Server using the Access Token.

Question 60

Where is the protocol supporting the OAuth 2.0 Authorisation Framework standardised?

Answer 60

The IETF OAuth Working Group.

Question 61

What five participants are involved in the OAuth 2.0/OpenID Connect Protocol?

Answer 61

Browser - user agent App - relying party IdP - Identity provider OP - OpenId Provider RS - Resource Server

Question 62

What is OpenID Connect?

Answer 62

* An open standard for decentralised authentication. * Used by Google, Facebook and Twitter. * It is a workflow used to authenticate users.

Question 63

What is the output artefact of OpenID Connect?

Answer 63

ID Token.

Question 64

What is an ID Token encoded as?

Answer 64

A JWT.

Question 65

What three parts does an ID Token consist of?

Answer 65

Header Payload/body Signature

Question 66

What is the Audience property of an ID token defining?

Answer 66

The application meant to be the final recipient of an ID token. In most cases, a Client Application.

Question 67

What are Access Tokens designed to do?

Answer 67

Allow access to a resource, e.g. file, database, API.

Question 68

Where do Access Tokens come from?

Answer 68

OAuth 2.0

Question 69

What is OAuth 2.0 designed to do?

Answer 69

Allow an application to access specific resources on behalf of a user.

Question 70

What format are Access Tokens required to be in?

Answer 70

Trick question! Any format. There is no required format.

Question 71

What format are Access Tokens often in?

Answer 71

JWT (although this is not required).

Question 72

What is the intended audience of an Access Token?

Answer 72

A Resource Server. (to access a resource)

Question 73

What is an ID token NOT intended for?

Answer 73

Authorisation.

Question 74

ID tokens should NOT be sent to an API. [T/F]

Answer 74

T

Question 75

Do ID tokens have authorisation information?

Answer 75

No.

Question 76

What is an Access token NOT intended for?

Answer 76

Authentication.

Question 77

ID tokens = Authentication Access tokens = Authorisation [T/F]

Answer 77

T

Question 78

Can an access token guarantee that a user is logged in?

Answer 78

No.

Question 79

ID Token = Authentication Access Token = Authorisation [T/F]

Answer 79

T

Question 80

Why does an Access token have to be configured?

Answer 80

So it knows about an Authorisation server that it can trust.

Question 81

Describe the steps involved in an Authentication sequence with OpenID Connect.

Answer 81

1) User connects with App. 2) User redirected to login page with OpenId provider... potentially via a 3rd party identity provider. 3) A single usage token is returned by OpenId Provider. 4) The Client/user is redirected to the App. User callback with single usage token (passed as query parameter into a callback URL to return to App). 5) App converts the single usage token to Identity Token and Access Token. 6) User granted access by App. 5) App requests resource access using Access Token. 6) Resource server checks Access Token is valid.

Question 82

ID Token is not visible to the _______, but to the ______.

Answer 82

browser App

Question 83

OAuth 2.0/OpenID Connect exploit ______ interaction patterns ( ______, ______).

Answer 83

HTTP callbacks redirects

Question 84

What does the Browser obtain?

Answer 84

Only the single usage token

Question 85

What does the OP sign?

Answer 85

ID token

Question 86

Is there a backchannel between RS and OP?

Answer 86

Yes

Question 87

Is revocation possible?

Answer 87

Yes

Question 88

What permissions are supported?

Answer 88

read, write (approved by user during interaction with Authorisation service).