Google Opting For Standards, Certificates Over Keys, Password

Posted on Mar 23 2012 - 11:01am by CONTRIBUTOR

Editor’s Note: Guest Author Pratibha is a technology enthusiast interested in analysing and reporting about different technologies.

The shared keys and passwords that developers utilize to access its server platforms in order to improve security seem thrown away by Google. The search giant unveiled Service Accounts, which provide certificate-based authentication using a promising identity standard and a multiplicity of access token types to secure server-to-server communication.

When web applications act together with Google services such as Cloud Storage the certificates supports stronger security. By certificates, the application requesting data has to validate its identity prior to accessing an application programming interface (API).the certificate validation does not need any user interaction.

In a blog post authored by Google product manager Justin Smith, that certificates propose enhanced security because different shared keys and passwords they cannot be read or guessed by humans, said by company. It is the original service bringer who employ certificate-based authentication on the back of the flourishing OAuth 2.0 protocol, which is close to final approval as a standard at the Internet Engineering Task Force (IETF).

JavaScript Object Notation (JSON) is a lightweight data-substitution format. The flow of information to attain and authenticate the certificate and its payload uses JavaScript Object Notation Web tokens (JWT), which are exchanged for OAuth 2.0 access tokens on Google’s site.   .“The benefits are less passwords, stronger authentication, improved security, interoperability, and option of vendors,” said Brian Campbell, a co-author of the IETF draft specification the outlines how a JWT token requests an OAuth 2.0 token. (Disclosure: Campbell is a senior architect for my employer – Ping Identity.)

Google’s progress to certificate-based authentication shows how OAuth can be integrated with PKI and existing corporate certificate tools. The plan also supports asymmetrical crypto so Google never has a copy of a company’s private key

Google’s Service Accounts capabilities such as Google Prediction API, Google URL Shortener, Google OAuth 2.0 Authorization Server, Google APIs Console, and Google APIs Client Libraries for Python, Java, and PHP at the start being added to a host of its developer services, Google will provide better combination for developers by present a few lines of code that can be dropped into applications. The company plans to add Ruby and .NET support at a later date.

Applications that having integrating authentication technologies can prove complicated and expose as highlighted in a recent technical paper revealed by Microsoft Research. The paper showed API integration based on poor code written by web site developers led to fatal security flaws in Web-based SSO.

To drollness, Google is powerfully advising developers not to write their individual logic for creating and cryptographically signing the JWT access tokens used with the OAuth 2.0 specification. Using libraries instead suggestion make by Google. In its Service Accounts documentation Google said.“Writing the code that abstracts token creation and signing is prone to errors that can have a severe impact on the security of your application.”

About the Author