I'm a beginner in WLAN security. I was going through various articles and noticed that WEP, WPA and even WPA2 (Hole 196) has some drawback.
I came to know that, if the Group Temporal Key is made unique for clients, then the Hole 196 vulnerability can be compromised.
Then, why is there no WPA3 still?
WPA3 has been announced:
Uses a new handshake which won’t be vulnerable to dictionary attacks.
Features a 192-bit security suite aligned with the Commercial National Security Algorithm (CNSA) Suite that will protect government, defense, and industrial networks that have higher security requirements.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security
Related
We're estimating the practicability to replace our conventional HTTPS/RESTful over cellular network (4G-LTE) with CoAP/DTLS over NB-IoT, to prolong the battery life of remote devices. The IoT application we've deployed only takes a tiny proportion of 4G-LTE data bandwidth and UDP over NB-IoT is good enough; so transmission performance is not our main concern.
But the problem is, we're now using mutual authentication in SSL/TLS layer and we assign different client certificates to different sub-groups. And I'm not sure how to do that in CoAP/DTLS.
I've learned that the default credential model of CoAP/DTLS is Pre-Shared Key (PSK) and I also learned from RFC4279 that I may use the PSK identity / shared-key pair as an easy alternative to username, which could just fit my needs. But when I'm trying to figure out how to implement this, I found the internet resource is very limited. So far I've surveyed node-coap.js and libcoap but I can't find any hints in the documents. Both seemed to support only one credential at the same time.
What is the best practice to deploy CoAP-DTLS server that can support multiple PSK identity/shared-key sets ? Or do I need to implement the whole authentication mechanism in application layer ?
One option for server/cloud side CoAP is Eclipse Californium. I am involved in that project and may thus be biased. That said, we have actually built Californium for exactly this purpose.
I am preparing a report on SAML and OAUTH for a comparative study on these two technologies.
I have got a few pages ready describing what SAML and OAUTH can do.
The next thing I need is the hardware and software requirements to implement SSO using SAML and OAUTH.
This would help analyis the costs involved and come to a decision on choosing any of the two technologies.
If you are aware of the H/W and S/W requirements please enumerate them.
Thanks,
david
On the software side, the cost will really depend on what solution you're using. Both technologies have good opensource and commercial implementations (and often, the same product supports both). So, I don't think that the software costs will make a difference.
On the hardware part, SAML is probably a little more power-consuming, because it implies XML parsing, XML digital signature (which needs more resources than a simple digital signature).
But if you have a reasonable number of concurrent users, the raw-power of the most basic servers will be able to absorb the load without problems in each case.
To give some figures, our SAML 2.0 solution (which admittely is performance and not features-oriented) is able to generate ~100 SAML responses per second on my workstation (a low-end sandy bridge pentium). The main factor determining performance is CPU. I/O and memory are somewhat negligeable.
How many authentications per second do you plan to have in production ?
I'm working on a web application and we are getting ready to launch it. Because it will hold sensitive data for users, I want this to be as secure as possible. Here is a list of what we are currently doing...
Running the app on Heroku (Ruby on Rails)
Site is encrypted with 256 SSL (with forced SSL turned on)
Cookies are encrypted and we pass the Firesheep test
Their password and everything in the database is one way encrypted.. so even if someone got access to the database it would be useless.
We do not store any keys or passwords openly in the source code but rather use Config Vars
Other than that what else should/could we be doing. We are considering McAfee's site scan but they quoted us $2,500 a year. I'm not sure it's worth it.
Does anyone have any suggestions at all?
Make sure to read the OWASP Top 10. Also $2,500 is a rip off, Sitewatch is free. You should also consider running a Web Application Firewall like mod_security, but keep in mind this will cause problems for testing tools like McAfee or Sitewatch. You should configure mod_security to allow specific ip addresses. Or test your application before enabling the WAF.
After ruling out the usual suspects (XSS, SQL injection, mass assignment, etc), client side is where most problems come from, and this is often overlooked. I don't know what your site is about, but things like telling your users that they shouldn't follow links on emails they did not explicitly request usually delivers highest bang-for-the-buck.
Best regards,
-- J. Fernandes
I'd recommend checking out the OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
To verify your SSL configuration, you can try https://www.ssllabs.com/ssldb/index.html.
If you're curious about the sheer variety of attacks, check out Jeremiah Grossman's post titled Top Ten Web Hacking Techniques of 2010 and scroll down until you see "The Complete List".
If you want to fire off a few web app vulnerability scans tools to catch the low hanging fruit you can try:
skipfish: http://code.google.com/p/skipfish/ (free)
netsparker community: http://www.mavitunasecurity.com/communityedition/ (free)
look here for more https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/
If you're really concerned about security then adopting a secure development plan and working with someone trained in app security would obviously boost your confidence things are being done right.
Regarding development, you may like the ideas presented in Microsoft's simplified SDL:
"The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development."
"The process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren’t uniform – development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn’t compromise organizational security goals."
Also it is important to note automated vulnerability scan tools fail to identify most logical vulnerabilities so don't rely solely on automated tools. For example (taken from OWASP):
"Setting the quantity of a product on an e-commerce site as a negative number may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart."
Human intelligence is key to spot logical issues.
Security is also all about maintenance. Assigning someone or a team the responsibility to astutely play continuous defense is important.
Note: Encrypting the passwords doesn't imply infallible security. Dictionary/password lists/brute force attacks work all the time to reveal weak passwords. A very common attack is to use SQL injection to dump the user table (with password hashes) then use a password cracker to discover legitimate user/password pairs.
You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist, including most of the OWASP Top 10 items.
How secure is Spring Security? Is it good enough to use Spring Security in web application for banking system or something equivalent?
Spring Security in itself is very good. It is widely used and any problems are sorted out with high priority. However, as with most technologies, if you use it improperly, your application will not be secure.
If I use it in "most secure way", will be enough secure? - Yes
Earlier versions of Spring security (known as acegi back in the day) required quite a large amount of configuration and it was therefore possible to miss something and leave a hole in your security. Recent versions have significantly reduced the complexity and now use sensible defaults.
However Spring still remains extremely flexible and extensible which gives developers great power, but as always power comes with responsibility. As far as Spring security is concerned a little knowledge is a dangerous thing, I'd strongly recommend that you get a good understanding of the framework before undertaking any customization. It's also a good idea to get involved on the forums and ask the communityto peer review high risk areas of code/customization.
We've implemented Spring security for many banks and other financial institutions both in the US and Europe so in that sense it's definitely "fit for purpose"
Spring security is one of the best things that the Spring frameworks offers, it highly capable of taking care of both authentication and authorization.
The challenge is to model it correctly with right key elements of the framework being put in the right place. I have tried to illustrate its capabilities on one of my blog posts, refer http://www.nimblegeek.com/2012/08/role-base-application-modelling-using.html
Be careful applying Spring Security to applications require high level of security such as banking security system. First of all put your attention securing your application with strong cryptographic methods and securing data channel. then you can integrate it to some framework such Spring Security.
How reliable is Heroku for a sensitive app?
Can they be trusted for a very important app?
Have you used it for a long time? What's your opinion?
Thanks
Heroku provides information about security policy in its legal section. According to the security documents, it seems to have a really reliable infrastructure and I have been using it for 1 year without any issues. I also haven't heard about noticeable security flaws in its system.
Some technical restrictions, such as the read-only file-system, can be a hassle at first glance but increase the security of the platform.
It is indeed much more secure than many other VPS providers and, unless you have the benefit of a team of sysadmins and security experts, you can probably trust them more than how you can trust your infrastructure.
A good infrastructure doesn't mean bullet-proof software. Your first priority should be to make sure your software won't include any security flaws. Stress test your software, use unit and integration tests to make sure your software is stable and you are not reintroducing any issues that have already been fixed.