Level_Six_Security

Authentication & Security!

Welcome to Secrets!

Our mission statement is to introduce and impress organisations with the importance of proper secret management in today’s enviroment, as a leaked password could lead to data breaches with heavy consequences. This has become very significant over the last couple years as more & more workload is being pushed towards the cloud.

Secret management plays an important role in keeping essential information secure and out of threat actors’ reach.

Input

Once, in the Register page the user will be prompted to register or authenticate themselves with Google,Facebook or GitHub using the OAuth 2.0 API.

Enter your input into the email and password field then follow up by pressing the ‘Register’ button to register to the site. [REMEMBER YOUR_EMAIL + YOUR_PASSWORD]

Output

The example output will prompt the user to submit a SECRET as follows!

Enter your new secret into the ‘What’s your secret?’ field and press the button submit as follow… Don’t worry your secret will be securely held until you next login!

Authenticate Use Cases

If the user wishes to authenticate themselves and authorise the secrets App then they can use Google,Facebook or GitHub to login using the OAuth 2.0 API framework which is showcased in the following use cases.

Use Case One

User selects Facebook to authenticate themselves and authorise the secrets App which will prompt the user to login, where the app secrets will request the following from the user.

Use Case Two

User selects Google to authenticate themselves and authorise the secrets App which will prompt the user to login, where the app secrets will request to view the user profile prior to rendering the secrets page.

Use Case Three

User selects Github to authenticate themselves and authorise the secrets App which will prompt the user to login, where the app secrets will request to view the user profile prior to rendering the secrets page.

Security

Security within the Secrets App utilises minimal overhead by using salting, hashing and password management through Auth0.

Level 1 Security - Email & Password

• User email and password stored using Mongoose & MongoDB
• This level of security displays the users’ password in plaintext in database which is a definite no!

Level 2 Security - Encryption

• The password field is now a long binary string instead of plaintext
• To combat this we used environment variables in a simple .env file which is used to keep sensitive variables and API keys safe.

Level 3 Security - Hashing

• Hashing was achieved by using NPM module md5 https://www.npmjs.com/package/md5
• When a hash function is run against a value it produces the same hash value every time. This eliminates the need for reversing the function for data verification.

Level 4 Security - Salting & Hashing

• Used bcrypt.js to hash and salt passwords. https://www.npmjs.com/package/bcrypt
• Salting adds random unique data to passwords. Those random characters are then appended to sensitive user data and ran through the hash function.
• Adding salt increases complexity and makes our database a bit more secure.

Level 5 Security - Cookies & Sessions

• Cookies are used to establish and maintain a Session.
• Cookies and Session implemented use PassportJS.
• NPM packages used:
  • passport - used to authenticate request
  • passport-local - local authentication strategy for users using username and password
  • passport-local-mongoose - Mongoose plugin
  • express-session - allows authentication between client and session

Level 6 Security - Third Party OAuth2.0

• Auth0 helps you prevent critical identity data from falling into the wrong hands.
• Passwords are always salted and hashed using bcrypt.

Example grabbed using Robo3T from Database [userDB]

If you check the example, there is no field for password because passport-local-mongoose plugin created a salt & hash for the provided unique username of ‘test@email.com.’

Theory Vs Best Practise

In theory if a password is kept private and secure, unauthorised access will be prevented.

In practise, is this enough???

As Cybercriminals use rainbow tables of stored potential passwords allowing them to gain access when the correct password is attempted.

Why use the pbkdf2 algorithm?

This node crypto library was selected for securing the users personal information inputed to the Secrets App as the appropriate (independent) platform, where every generated salt is saved which makes rainbow table attacks even harder. The Password-based Key Derivation Function 2 (pbkdf2) prevents password cracking tools from making the best use of GPU’s and this reduces the guess rate from hundreds of thousands of guesses per second, to less than a few tens of thousands of guesses per second.

How to run? || Download the zip file to your downloads directory and extract it.

• Open up a terminal/cmd and change to the directory with app.js in it
• Run app.js locally using ‘nodemon app.js’ to start the server on localhost:3000.

Useful Resources

• https://ejs.co/
• https://nodejs.org/en/download/
• https://www.npmjs.com/package/nodemon
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
• https://robomongo.org/