CasperAuth/Security: Difference between revisions
Line 53: | Line 53: | ||
== Session Resuming == | == Session Resuming == | ||
In the event that the websocket gets disconnected, the session can be re-established and re-authenticated with the use of a session token which is issued over the socket when a connection is | In the event that the websocket gets disconnected, the session can be re-established and re-authenticated with the use of a session token which is issued over the socket when a connection is established. | ||
The session token is a signed JSON Web Token which contains the sessionID and device ID. It's sent to the server when the websocket reconnects, and used to resume an existing session. | The session token is a signed JSON Web Token which contains the sessionID and device ID. It's sent to the server when the websocket reconnects, and used to resume an existing session. |
Revision as of 17:46, 21 February 2021
We take security very seriously, and believe that transparency is an essential part of any secure system, especially when potentially sensitive user data is being handled.
To this end, this document is a technical write-up of our new CasperAuth login system, which is currently being used with CasperVend and this wiki, and will soon be rolled out to the rest of our network via the new control panel.
This document is technical for anyone who is interested, and is NOT required reading by any means.
What is CasperAuth?
We're currently working on a new control panel which will bring all of our products together into one place.
As part of this solution, a new user login system has been built and deployed - this is CasperAuth.
OAuth2
CasperAuth is fully OAuth2 compatible, and indeed that's how it's currently integrated into CasperVend and this wiki.
OAuth2 is an industry-standard secure way to authenticate users with an external system. Both CasperVend and this wiki use the authorization code flow. This mechanism is well documented on the web and so it's out of scope of this document.
We intend to allow public access to our OAuth2 system so that external sites are able to securely authenticate avatars via CasperAuth. If you're interested, please contact Casper Warden.
Implementation
Device Code
The first token which is obtained from the server is a unique device code. This device code is unique for each browser or application which accesses the site. It's a non-expiring cookie which is stored in a secure http-only cookie to prevent it from being intercepted by malicious javascript or browser extensions.
This device code cookie is signed by the server and later the signature is verified, to ensure that only cookies issued by the server are accepted.
Websockets
The new CasperTech control panel uses websockets, utilising an efficient binary protocol for fast and effective communication.
Websockets are great, but come with one significant drawback from a security perspective: session cookies.
A secure session cookie is essential. This means, a cookie which is only sent over HTTPS and, more significantly, must not be readable by Javascript. Websockets can't set these, so we use regular HTTP requests to set cookies in secure/http-only mode - one of these is the Device Code which has already been set.
Once we have the device code, a secure websocket connection is established. The device code signed cookie is then verified by the server, and if it's valid the connection is accepted.
Authentication
We go far beyond current industry standards in order to future-proof our technology and provide the highest level of security for our users.
The user password is never sent to our servers, even in an encrypted form. Instead, we utilise browser SubtleCrypto to derive a completely unique and irreversible key based on a pre-shared public salt.
This derived key is then sent to the server. However, we don't simply store this key as-is. The server then performs a further key-derivation step with with fixed complexity and a new salt, which produces the final key which is then stored.
These key-derivation algorithms, running in both the browser and the server, are designed at making both online and offline brute-force attacks unfeasible. Basically, the time it takes to calculate each password is so costly that it slows any kind of attack to a crawl.
To further inhibit online brute-force attacks, a captcha system is implemented and will activate when a certain number of attempts have been detected either on a single account or from a particular IP address.
As a last line of defence, if a LARGE number of authentication attempts is detected against a particular user account, the user account is locked for a short time. This scenario is highly unlikely, but is in place in case of a successful captcha bypass attack.
Session Resuming
In the event that the websocket gets disconnected, the session can be re-established and re-authenticated with the use of a session token which is issued over the socket when a connection is established.
The session token is a signed JSON Web Token which contains the sessionID and device ID. It's sent to the server when the websocket reconnects, and used to resume an existing session.
While the session token is accessible by Javascript and could technically be stolen by some malicious code or browser extension, it's not possible to use it without the signed Device Code cookie which is not available to Javascript.
The session token also has a short expiry and is renewed on reconnection.
"Remember me"
The "Remember Me" consists of an optional signed cookie which can be requested when initially authenticating.
If the "remember me for 7 days" checkbox is ticked on the login screen, then a flag is set in the login message which requests an Auto Login Token. This token is generated only after authentication is successful, and a "claim code" is sent back to the browser.
The browser then makes a regular HTTPS request to exchange the claim code for the Auto Login Token, which is stored as a secure http-only cookie. Again, the device code cookie is checked here to ensure it matches the request, so the claim code can't be stolen and used by another user.
The claim code is remembered on the server and is validated each time the Auto Login Token is used, which allows the token to be invalidated.
Log Out
Upon logout, the "Remember Me" token is invalidated, and any OAuth2 authorization on the device is invalidated.
The user's Avatar Name is remembered on the login screen, but this can be permanently removed by clicking the "X" next to the avatar name.
Other considerations
- Data compression to the API is disabled due to attacks like CRIME
- We regularly review and conform to the latest industry standards and recommendations regarding our our server configuration
- HSTS is in force to ensure that TLS is always used to access the authorisation website.