Security #


Is CoSync Auth secure?

The solution to the mentioned question involves RSA public/private key encryption. The RSA standard ensures a high level of security, resistant to simple brute force attacks. It serves as the foundation for cryptographic signatures in blockchain technology and all cryptocurrencies. Asymmetric RSA encryption works on a straightforward principle: if a message is encrypted or signed with a private key, it can only be decrypted using the corresponding public key from the key pair.

Regarding the JWT standard, the payload itself is not encrypted; instead, only the signature is encrypted. This signature is generated by running an RS256 encryption hash using a private key on the header and payload of the JWT token. This signature acts as proof for the MongoDB Realm instance that the JWT token originated from the CoSync Auth system, ensuring it’s not from a malicious third party.

CoSync Auth employs JSON Web Tokens (JWT) as a secure mechanism for identity management in a MongoDB Realm application. The CoSync Auth service stores a user’s handle and password in an encrypted database. When the application needs to validate a user’s credentials, it delegates this task to CoSync Auth. In the first pass, the user’s handle and password are validated against the stored credentials. In the second pass, the CoSync Auth service can further verify the user’s identity through Google’s two-factor authentication or by sending a code to the user’s verified phone number. Once the user’s credentials are verified, CoSync Auth signs a JWT token using the application’s secret private key, which is kept confidential.

The secret private key is stored within the CoSync Auth system, while the corresponding public key is configured in the MongoDB Realm application instance. This ensures that only the CoSync Auth system can sign authenticating JWT tokens on behalf of application users. To create counterfeit tokens, a malicious system would need access to the private key, which is securely encrypted in the CoSync Auth database.