Why AWS distributes private key to address authentication problem?

AWS provides access to EC2 by downloading the private key(.pem) into management host that connects to EC2.

AWS uses openssl tool

Key providers generally provide public key but not private key, because with keypairs, one can encrypt either with public key or private key and decrypt with other key, as shown below:

$   openssl genrsa -out mykey 2048  $   cp mykey privatekey  $   openssl rsa -in mykey -pubout -out publickey   $   rm mykey  $   # Encrypt with public key  $   echo "the cat sat on the mat" | open ssl rsautl -encrypt -pubin -inkey publickey > ciphertxt  $   # cat cipher.txt  $   # cat cipher.txt | openssl rsautl -decrypt -inkey privatekey  

1) Why AWS distributes private key instead of public key? for secure communication…

2) Key pair is mainly to secure communication on the wire, but not authenticate user, to access a resource in AWS.

ssh -i something.pem user@ec2-public-dns-name

How does distribution of a key solve authentication problem? key can be stolen by any wrong person…Why AWS allow ssh login to EC2 without a password?

Do any desktop PC motherboards require hardware token authentication?

Scenario: I am assembling a desktop computer. I buy an ASUS XYZ motherboard because it will not run — or, even better, its running state cannot be altered, short of pulling the plug — without hardware token authentication. The XYZ motherboard comes with two YubiKeys. If I lose those, I can buy additional copies from ASUS, after posting bond and passing a DNA test.

I’m kidding about the DNA test. Or maybe not. The question is, does anything like the ASUS XYZ motherboard exist?

A prior question initially appeared to be seeking the same information, but its focus on laptops seems to explain its apparent satisfaction with a software solution oriented toward data encryption (e.g., Sophos SafeGuard Easy).

The usability drawback of using biometrics for device authentication but not for device decryption after reboot?

What if your device gets locked down for a long while because you cannot remember the password? Well, that used to be a rare case.. because people used to use their device’s passwords to access them frequently and the chances this would happen depends on how long they don’t use that device. (Cause part of the capability of remembering things could depend on how frequent you use that thing, retrieve it, or think of it.. but what happens when you don’t retrieve that information for a while? )

Many devices are now switching to biometrics authentication (both mobiles and laptops), and this authentication is only used to unlock the screen, not for decrypting the disk after rebooting for many valid reasons.

However, I was concerned with the fact that using the password less frequently (because people reboot their systems less frequently) and relying on biometric authentication for being easy & fast, can increase the chances of the user forgetting his password, which makes it a big difficult challenge when the system forces a reboot for an update, or suddenly shutdown for battery shortage (which usually occurs in the middle of your work 🙂 ), and you end up wasting so much valuable time trying to remember the password, and if you’re lucky, you will figure out what password you used. If not… am not sure what’s gonna happen, you’ll have to take a very long route to recover it, cause it ain’t as simple as “Forgot password? Send reset email”

What I am saying is, is it true that relying on biometrics increases the likelihood of forgetting an essential-hard-to-recover password?

If yes, how can we minimize that? Is it by supporting better techniques to recover password ?

Or is the actual problem resides in remembering passwords? And users must be aware of the fact that they should use a password that they are almost sure they would never forget?

Do integrity and authentication always come together?

I cannot come up with a case where there is only one of them.

When there is integrity, a random person cannot modify the message without being noticed. That is, an unauthenticated user cannot modify the message without being noticed. Therefore there is authentication.

When there is authentication, nobody except the sender can change the message after MAC or signature is added. Therefore there is integrity.

Am I missing something?

Too many redirection after turning off Anonymous Authentication

I am running on-Prem Sharepoint 2013 and writing a web application that will access SharePoint lists using CSOM.

I am using Claims Authentication and have Anonymous Access allowed for the web app.

Here are the first few line of CSOM:

    Dim ouritems As ListItemCollection     Using cc As New ClientContext(siteURL)         Dim ourList As List = cc.Web.Lists.GetByTitle(listTitle)         cc.Load(ourList)         cc.ExecuteQuery() 

Everything is working just fine.

I now turn Anonymous Access off.

My ExecuteQuery (the first access to SharePoint in the application) now fails with an exception: Too many redirections were attempted.

Can anyone explain the connection between turning of Anonymous Access and the exception?

Security Risk of Stolen Session ID vs Authentication Token

I was intrigued by the discussion of this SO question as well as the accompanying blog post. I’m trying to better understand the mechanics of the two systems, and one of the questions I came up with is how much worse is it to have a token stolen vs. a session ID?

Here’s what I understand so far, and please do correct me if I’m wrong:

A session ID is an opaque reference to actual session data stored on the server. It is safe insofar as it is random enough to not be guessed easily, and the data is safe because it is not directly accessible by or beholden to the front-end. The session ID is stored in a cookie to simplify authenticated requests.

An authentication token is a plaintext segment of JSON user data with a cryptographic signature that verifies the data’s integrity. It is tamper-proof because of the signature, so no one can simply come up with their own token. The data it grants access to is safe on the server, except of course what is present in the token (which even then can be encrypted if need be). The token is also often stored in a cookie to simplify authenticated requests.

So here is what I do not understand. The way I see it currently, it seems just as likely that a token be stolen as a session ID, e.g. anyone breaking past my SSL and viewing my token would be able to view a session ID as well. Either event gives the attacker complete access to my account and all associated authorization. So in terms of the event likelihood and the resulting damage, is an authentication token really any worse than a session ID, as the article claims?

The one thing I could see potentially being worse for tokens is if the signing secret were somehow found out, in which case the attacker can do anything with anyone’s account, rather than just mine. However I almost want to relegate this to the reasonable unlikelihood of someone first breaking RSA, in which case they can get past SSL, and then what good is a session ID anyway?

Sharepoint Designer 2013 authentication problems

My company uses O365 SharePoint sites that I would like to be able to edit using SharePoint Designer 2013, however I am experiencing some problems making it work. I open SharePoint Designer 2013 and I go to Account and click on Add a service, then storage and select the option for Office 365 SharePoint. I am then asked for my email address, which I provide. The next screen asks for my password, which again I provide. Once that is done I see that 2 services are added, OneDrive – My company name and Sites – My company name. Both these entries state that to connect I’ll need to provide my user name and password. So I click on the connect button and it brings up a sign in window, already populated with my email address as the user ID. When I enter the password and click Sign in it fails with a pop up error message saying “The username or password for Sites – My company name isn’t correct. Please try again”

I know the password is correct, and I’m not the only user experiencing this exact same problem. Can anyone explain why this would be and how to fix it?

Moving large files with modern authentication

I am trying move files from one site collection to another. Following code works for smaller files but not for large files due to memory exceptions:

if (item.FileSystemObjectType == FileSystemObjectType.File) {     var fileName = item["FileLeafRef"] as string;     var fileSize = item["File_x0020_Size"];       item.Context.Load(item.File);      using (var stream = item.File.OpenBinaryStream().Value)     {          item.Context.ExecuteQueryWithIncrementalRetry(3, logger);          var fi = new FileCreationInformation();         fi.ContentStream = stream;         fi.Url = fileName;         fi.Overwrite = true;         folder.Files.Add(fi);         destLibrary.Context.ExecuteQueryWithIncrementalRetry(3, logger);     } } 

Is there anyway to to the same in batches? Notice SaveBinary etc cannot be used with modern authentication.