Token based vs. Certificates based authentication
Read this earlier post on Web Services Security.
There are a couple of major difference between a token and a certificate.
Tokens are essentially a symmetric key. That means that the same key has to be both on the client and the server to be able to authenticate users.
Token Based Authentication
If you understand session based authentication, you almost understand token based authentication. Both sessions and tokens enable imposing ‘state’ onto a normally stateless HTTP request. The state contains the authorized access of the end user.
With session authentication, the user state is handled on the server-side.
With tokens, the state is managed on the client-side.
This also makes tokens more susceptible to hacking.
How and where is the token generated?
Like the session id, the server is where the JWT (JSON web token) is generated (using a private key on the server). It is sent to the browser client, where the browser stores it and re-sends it with future requests (in the Authorization header)
{
method: GET
HEADERS:
{"Authorization":Bearer ${JWT_TOKEN}" }
}
Certificate Based Authentication
Certificates use an asymmetric set of keys (as opposed the symmetric keys used by Token based encryption). Certificates are based on public-key cryptography. The client keeps possession of the private, which is never shared by anyone else.
The public key is sent to the Certificate Authority to be signed and stamped into a certificate (which also contains an encrypted PRIVATE key of the CA).
Server challenges the client to prove it’s identity –> Client signs a ‘challenge response’ using it’s own private key –> Server can check that it was indeed signed by the client, using the client’s public key to decrypt the signed ‘challenge response’.
In entire message based security, (e.g. WS-Security), instead of just signing a ‘challenge’, the client signs the entirety of the message that’s sent by the server. (The exact flow (using WCF in .NET) is decribed in detail here.)
Summary
Both Certificate based and token based authentication have important uses in today’s authentication flows. This post tries to clarify some key differences between the two.
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1217 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
can we use both token based and certificate based authentication in an application
Thanks for the synopsis. But JWTs can also be signed asymmetrically and the kid is included in the header. Then is the statement “Tokens are essentially a symmetric key. That means that the same key has to be both on the client and the server to be able to authenticate users. Certificates use an asymmetric set of keys. Certificates are based on public-key cryptography and the client has one key (the private key) that is never shared by anyone else.” still relevant?
I am evaluating a security solution for a financial client implementing check reorder capability and want to ensure we pick the right security model. Thanks