[OWASP-Bangalore] [null] X509 Certificate Authentication - For Secure Server-Server Communication
001.appsec.007 at gmail.com
Fri Jan 4 11:55:17 UTC 2019
It sounds clear and we are planning to implement "X509" certificate
authentication (handles only authentication) with JWT tokens (handles
authorization). I believe this implementation is very secure.
On Fri, Jan 4, 2019 at 5:08 PM Aamer Shah <iamaamershah at gmail.com> wrote:
> This is something more secure than traditional tokens who rely upon a
> string length for security.
> Now if you are implementing multiple token mechanism where all tokens are
> mandatory and the length is long. That will also be equivalent to X509
> But the fact that mates X509 secure is teat the certificate is required at
> client end to access a resource. In combination with her creds (viz session
> tokens). I personally have never encountered any instance of a compromise
> by adversary.
> If it it's server to server authentication or server-client model.
> Technically, makes no difference.
> In server-seever case the second server is client for server 1. And
> certificate it's required. It relies upon the fact that spoofing or falling
> a certificate is very difficult and time consuming.
> On Fri, 4 Jan 2019, 11:39 cyber research <001.appsec.007 at gmail.com wrote:
>> Hi All,
>> Could anyone please help out if you know "Server-Server" secure
>> authentication with X509 based certificate.
>> What are advantages/disadvantages(Security perspective) of X509
>> certificate authentication instead of traditional username/password or
>> token based models ?
>> Architecture Scenario :
>> Lets suppose i have Client application made a request to Server(REST API
>> Implementation) before processing client request we want to introduce a
>> authentication mechanism based x.509 certificate instead of routine
>> username/password or Token based models.
>> Thanks & Regards,
>> null - Spreading the right Information
>> null Mailing list charter:
>> You received this message because you are subscribed to the Google Groups
>> "null" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to null-co-in+unsubscribe at googlegroups.com.
>> Visit this group at https://groups.google.com/group/null-co-in.
>> For more options, visit https://groups.google.com/d/optout.
> null - Spreading the right Information
> null Mailing list charter:
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+unsubscribe at googlegroups.com.
> Visit this group at https://groups.google.com/group/null-co-in.
> For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Bangalore