Thursday, April 6, 2017

Simple security mechanism for token based auth

Almost every application we try to secure requires a security scheme for simple reliable token based authentication. I want to describe a simple yet effective scheme for token based authentication, which can be used.

Please review the security scheme below and comment, if it suitable and if any additional vulnerabilities and enhancements can be made. Please forward the blogpost link to, security experts/enthusiasts from your acquaintances, and ask them to review and comment.

User enters username and password on browser and clicks submit button
username and password travel over TLS onto web application's login handling resource URL

Session Initiation

On the webapp:
security filter uses the username and password, and authenticates user using application service
application creates  new security token
application stores token, token_time,etc against username, in app database
application encrypts token using its private RSA key
application sends back encrypted token as sync reply of http login request to client browser

On the client:
Client decrypts token using RSA public key. This ensures server's authenticity.
Client stores the raw token in session storage

Subsequent Session based calls

On the client:
Client sends in "pre-decided header field" or "Authorization header as Bearer token", the following:
HMAC(rawToken, sessionIdAsKey) - the hmac also ensures user or session authenticity

On the server:
Server security filter, checks if bearer token is present and also if it is valid as per follows:
server retrieves username's raw token, it does HMAC(rawToken, sessionIdAsKey)
server compares calculated HMAC with HMAC in bearer token, if both match token is valid


Client storage of RSA public key can be compromised and misused
Man in middle is still a risk, need to ensure TLS for all communications
Man in browser / Session hijacking is still a risk
Need to additionally guard against CSRF/replay attack


The simple raw token can be enhanced as a JWT token or digitally signed token


Winston Dhanraj said...

Hi Ganesh, the token encrypt-decrypt happening in Session initiation, is this over and above the SSL handshake that happens when the browser hits the https resource?

Ganesh Ghag said...

Hi winston,
yes indeed, the encrypt decrypt is additional to SSL/TLS, channel level.
It serves the purpose that, clients if they are able to successfully decrypt using public key, they know that data was encrypted by corresponding private key, hence the authenticity of server is established.