Home > Notes > System-Design-Notes > Security

Security

Security protocols and techniques used in distributed systems. 1. Authentication

1. SAML-based SSO (Single Sign On)
1. User Tokens
1. OAuth (Authorization abused for authentication!)

  1. Authorization

    1. Access Control Lists
    2. Rule Engines
    3. Secret Keys

  2. Attack Vectors

    1. Hackers
    2. Developers
    3. Malicious Code

Token Based Auth

  1. Tokens are a basic and commonly used method of authentication. The process involves a user sending their username and password to a server for verification. If the credentials match, the server generates a token, which is a piece of text signed by the server.

  2. The token represents the user's authorization and specifies the actions they are allowed to perform. The user can present this token to the server as proof of authentication and authorization without needing to provide their password again. The server can verify the token by using its private key to decrypt the signed text and confirm its authenticity.

  3. The private key is a secret number known only to the server, while the public key is shared with others. The public key can be used to decrypt the signed text and retrieve the authorization details. The token, being a signed piece of text, prevents unauthorized modifications. If someone tries to modify the token, then that can be detected.

  4. Limitations:

    1. It does not protect against replay attacks or token theft. If someone intercepts the token, they can potentially use it to impersonate the user and perform actions on their behalf.
    2. If the token is stored in an insecure location, it can be accessed by unauthorized individuals.

  5. Despite these limitations, token-based authentication is widely used due to its simplicity and efficiency. The permissions associated with the token can be quickly checked, and logging out invalidates the token. By including a version number or timestamp in the token, its validity can be controlled, and logging out will render it unusable.

  6. Overall, token-based authentication offers a practical solution for balancing security and convenience in many authentication scenarios.

Single Sign-On (SSO)

  1. In SSO, the authentication process is delegated to an external service, such as Google or Uber. The user's credentials are checked by the external service, which then sends a token to the server.
  2. The server can decrypt the token and verify the user's permissions. SSO is useful for companies that want to have control over their users within their system, even if external services handle authentication.

OAuth (Check github OAuth)

  1. OAuth is primarily an authorization system but is commonly used for authentication as well. It involves integrating external services, such as Google or GitHub, with a server.
  2. The user is prompted to give permissions to the server, allowing it to access certain information from the external service, such as the user's name or profile photo.
  3. OAuth tokens are generated, and the server can use them for authentication purposes. OAuth is widely used for authentication, even though it is originally designed for authorization.

Authorization Mechanism

The below authorization mechanisms differ in their approach and can be used depending on the specific requirements of the system. They help define and enforce permissions for users and resources, ensuring that only authorized actions are performed.

Access Control Lists (ACLs)

ACLs are lists that define the actions that can be performed on objects. They can be user-based (a specific user has certain permissions), role-based (users with a particular role have certain permissions), or group-based (a group of users or resources have certain permissions).

Rule Engines

Rule engines involve using a set of rules, often implemented as if statements, to determine whether a user or resource has permission to perform an action. Rule engines are useful for handling complex authorization requirements and can handle multiple objects and rules efficiently. They are also helpful in centralizing common rules and allowing easy rule modifications without modifying ACLs.

Secret Keys (Check github secret pat)

Secret keys or client keys are an additional layer of security for authentication and authorization. They involve authenticating using a key or token rather than a username and password. This mechanism provides an extra level of security but is not considered ideal on its own.

Attackers

Hackers

Hackers often launch Distributed Denial of Service (DDoS) attacks to flood the system with requests. To mitigate this, techniques like distributed rate limiting and web application firewalls can be used to verify the authenticity of users and prevent flooding.

Employees

Employees, either willingly or unwillingly, can pose a threat to the system. Access control lists are useful in preventing unauthorized actions by employees. Restricting resource access and minimizing attack surfaces, such as opening only necessary entry points and allowing database access only to relevant servers, helps reduce the scope of attack.

Malicious Code

It is challenging to completely prevent the execution of malicious code. However, access to resources should be restricted, and rules in a rule engine can be used to prevent illegal modifications of code. Integrity checks and thorough code reviews can also help in identifying potential vulnerabilities.

Additionally, virtual private networks (VPNs) or virtual private clouds can be used for secure remote access and end-to-end encryption while communicating with the system.

Taking regular backups of the database is recommended as a preventive measure against the impact of malicious code.