Security on ARI Systems

GPG

Sat, 08 Oct 2022 00:00:00 +0000

References

Creating GPG secret key

Ensure GPG is Installed

Copy

1
2

gpg --version
brew install gpg

Generate or Import a GPG Key

Copy

`1`	`gpg --full-gen-key`

Copy

`1`	`gpg --import /path/to/your/private-key.asc`

Set the Default GPG Key

Copy

`1`	`gpg --list-secret-keys --keyid-format LONG <EMAIL>`

Copy

sec   rsa4096/30F2B65B9246B6CA 2017-08-18 [SC]
      D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid                   [ultimate] Mr. Robot <your_email>
ssb   rsa4096/B7ABC0813E4028C0 2017-08-18 [E]

Find the key you want to use and note its ID. Set it as the default by adding it to your Maven configuration in the settings.xml file or your pom.xml.

JSON Web Tokens - jwt

Thu, 26 Nov 2020 00:00:00 +0000

References

JWT Authentication Flow

The flow of the authentication process is:

User logs in using their credentials. On a successful login, the server issues an access token which is valid for a certain period of time (say 10 minutes) and a refresh token with a longer lifetime (say 24 hours for apps dealing with sensitive data. Simpler apps can have for days or even months). The client (frontend) stores refresh token in local storage (not database) and access token in cookies.
On every request to a protected resource, the access token must be provided in the request as a header.
When the access token expires after the stipulated time (10 minutes in our case), the client side app sends a request to generate a new access token, using the refresh token. This continues throughout the lifetime of the refresh token.
Once the refresh token is expired, the user will be logged out and needs to log in again.

5 modules associated with the authentication process are:

SSL

Sun, 02 Sep 2018 00:00:00 +0000

References

Difference between the certificate files

.key is the private key. This is accessible the key owner and no one else.
.csr is the certificate request. This is a request for a certificate authority to sign the key. (The key itself is not included.)
.crt is the certificate produced by the certificate authority that verifies the authenticity of the key. (The key itself is not included.) This is given to other parties, e.g. HTTPS client.
.pem is a text-based container using base-64 encoding. It could be any of the above files.
Copy
1 2 3

-----BEGIN EXAMPLE----- ... -----END EXAMPLE-----
.p12 is a PKCS12 file, which is a container format usually used to combine the private key and certificate.

Note that there isn’t only one extension for the certificate produced by the certificate authority. For example you may see certificates with either the .crt or a .pem extension.

SSH

Wed, 09 Aug 2017 23:05:00 +0000

Remove domain from ssh known hosts if you already have

Copy

`1`	`$ nano ~/.ssh/known_hosts`

Checking for existing SSH keys

Enter ls -al ~/.ssh to see if existing SSH keys are present:

Copy

1
2

ls -al ~/.ssh
# Lists the files in your .ssh directory, if they exist

Check the directory listing to see if you already have a public SSH key.