[OWASP-Bangalore] [null] X509 Certificate Authentication - For Secure Server-Server Communication

cyber research 001.appsec.007 at gmail.com
Fri Jan 4 11:55:17 UTC 2019


Thanks Amir!

It sounds clear and we are planning to implement "X509" certificate
authentication (handles only authentication) with JWT tokens (handles
authorization). I believe this implementation is very secure.

On Fri, Jan 4, 2019 at 5:08 PM Aamer Shah <iamaamershah at gmail.com> wrote:

> This is something more secure than traditional tokens who rely upon a
> string length for security.
>
> Now if you are implementing multiple token mechanism where all tokens are
> mandatory and the length is long. That will also be equivalent to X509
> level.
>
> But the fact that mates X509 secure is teat the certificate is required at
> client end to access a resource. In combination with her creds (viz session
> tokens). I personally have never encountered any instance of a compromise
> by adversary.
>
> If it it's server to server authentication or server-client model.
> Technically, makes no difference.
>
> In server-seever case the second server is client for server 1. And
> certificate it's required. It relies upon the fact that spoofing or falling
> a certificate is very difficult and time consuming.
>
>
> On Fri, 4 Jan 2019, 11:39 cyber research <001.appsec.007 at gmail.com wrote:
>
>> Hi All,
>>
>> Could anyone please help out if you know "Server-Server" secure
>> authentication with X509 based certificate.
>>
>> What are advantages/disadvantages(Security perspective) of X509
>> certificate authentication instead of traditional username/password or
>> token based models ?
>>
>> Architecture Scenario :
>>
>> Lets suppose i have Client application made a request to Server(REST API
>> Implementation) before processing client request we want to introduce a
>> authentication mechanism based x.509 certificate instead of routine
>> username/password or Token based models.
>> Thanks & Regards,
>> Sai
>>
>> --
>>
>> ______________________________________________________________________________
>> null - Spreading the right Information
>> null Mailing list charter:
>> http://null.co.in/section/about/null_list_charter/
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "null" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to null-co-in+unsubscribe at googlegroups.com.
>> Visit this group at https://groups.google.com/group/null-co-in.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
>
> ______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+unsubscribe at googlegroups.com.
> Visit this group at https://groups.google.com/group/null-co-in.
> For more options, visit https://groups.google.com/d/optout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20190104/b4d7b5fe/attachment.html>


More information about the OWASP-Bangalore mailing list