We understand the importance of security and try hard to keep this at a high level.
ExorLive is able to authenticate users both using internal and external services.
Authentication using the internal service
ExorLive does not store the users passwords, and does not require the user to send its password "over the wire" for authentication.
ExorLive stores only a SHA1 hash of the password in its database and uses HMAC-SHA1 for authenticating the user. In short, both the server and the user encrypts a shared random string (a challenge) using the SHA1 value of the users password (the server retrieves this from the database, while the client runs the SHA1 algorithm on the password provided by the user). The client then sends the result to the server, and if the result matches the one the server has calculated, the user is authenticated.
This means that neither the plaintext password, or the generated hash of the password is transmitted. And since the challenge is random and only valid for one attempt, there is no risk of a replay attack.
Authentication using external services
ExorLive can also use external services for authenticating users. This relies on the user trusting an external party to vouch for its identity, and requires that the user first uses the internal service for authenticating when attaching the external identity.
ExorLive supports providers like Google and Yahoo ID! using OpenID, and services like Windows Live ID, MySpaceID and Facebook Connect using RPX.
Users are also free to use any other service providing an OpenID Provider.
These two standards/technologies ensures that ExorLive can get confirmation that the person presenting a certain identity url (Yadis) for authentication actually owns this. This mechanism is then used first when attaching an identity to an ExorLive user, (the user has to sign in using the internal service to be authenticated to both parties), and later on when signing in using the external service (the user authenticates to the external party, ExorLive gets confirmation that the person owns the identity, and signs in the person as the ExorLive user who previously attached the identity to its profile.
Maintaining the users identity
To keep the user from having to authenticate on every request ExorLive will issue an authentication ticket. This mechanism uses AES for encrypting the users identity and uses SHA1-HMAC to bind the ticket to the users session. The tickets are only valid for a short time and will have to be renewed for continued access to the application. This is done automatically and ensures that if someone manages to copy the ticket they have only a small time window in which to use it.
It is considered impossible for anyone to gain access to this ticket if the client is using TLS (see Confidentiality) and the clients computer is free of malware.
The only way to gain access to the authentication ticket is on the server or through the clients web browser.
An example of attacks using the latter one is Cross Site Scripting (XSS), where an attacker inserts malicious code into the the application which will then be executed using the users privileges.
This code can either run the attack directly or it can grab the cookies present in the browser and send these to the attacker.
To avoid this we ensure that all input from users are validated and that data inserted into ExorLive is not presented to the clients browser in any way that can cause the browser to execute it.
All access (listing, reading and writing) to entities (users, workouts, scheduled activities etc) is controlled and any attempts to gain access to entities that the user is not privileged (authorized) to will raise an exception and be logged.
The users identity (user id and roles, provided by the authentication ticket), together with data from the system (the users organization and unit, organization-specific settings) is used by the ruleset to decide whether the action should be permitted or not.
Limiting access to entities in the system
The system provides confidentiality by ensuring that users are not able to get access to entities they are not authorized for.
Securing the transportation of information
Communication between the ExorLive servers and the client is secured using TLS (SSL) with a 1024 bit public key.
Our TLS-endpoints supports, and will use when available, 256 bit Camellia, the European Unions recommended block cipher standard.
Use of TLS is currently not mandatory but will soon be.
The integrity of data stored in the system
The system provides integrity by ensuring that users are not able to insert or edit entities they are not authorized for.
Most actions are logged, and users will later on be able to see an entities history.
All data is replicated on multiple servers real-time, and a full backup is generated and exported to a remote location every day.
The integrity of data transmitted
Data is protected during transmission with TLS (See Confidentiality).