Security concepts and tools

Token Based Authentication

Creating sessions is expensive and not scalable - overtime the server will be overwhelmed with session data (which could also be reused and stolen for some other service). In order to do so, stateless token based authentication was created. Token Based Authentication makes sure that the client side has the signed token to access data, rather than storing everything on its side.

The procedure:

  1. User Requests Access with Username / Password
  2. Application validates credentials
  3. Application provides a signed token to the client
  4. Client stores that token and sends it along with every request
  5. Server verifies token and responds with data

An analogy: Event where you show your official ID, receive a temporary bracelet for ID, and use subsequent visits to the event, using the bracelet.

SSL Testing:

openssl s_client -connect 127.0.0.1:80

This will reproduce the same errors if you are having SSL unknown protocol error. This attempts to connect to the server client set up at 127.0.0.1:80.

Finding out how old a certificate is

openssl x509 -enddate -noout -in file.pem

Create a public key from a private key

openssl rsa -in private.key -pubout > public.pub

Create a public key from a cert

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

Encrypt and decrypt

  1. Write message to encrypt and decrypt
    • vim message.txt
  2. Encrypt the message
    • openssl rsautl -in message.txt -out encmessage.txt -pubin -inkey public.pub -encrypt
  3. Decrypt the message
    • openssl rsautl -in encmessage.txt -inkey private.key -decrypt -out decmessage.txt

Converting p12 to pem

openssl pkcs12 -nodes -clcerts -in dev.p12 -out dev.pem

SSH Agent

Avoid having to be asked overtime for a pass key phrase

eval $(ssh-agent) & ssh-add

Cert x.509

openssl x509 -in ../dev.pem -noout -text