The latest articles on DEV Community by Raul Bolivar Navas (@rasysbox). https://dev.to/rasysbox https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1291519%2F70fb3d38-9792-44a0-b044-364a75a0c12e.jpeg https://dev.to/rasysbox en Raul Bolivar Navas Thu, 13 Feb 2025 21:10:38 +0000 https://dev.to/rasysbox/authentication-flow-and-symmetric-keys-3iij https://dev.to/rasysbox/authentication-flow-and-symmetric-keys-3iij <p>Frontend and Backend are separated by two concepts but they are united by their interdependence, while the backend remains secure behind an infrastructure, perhaps a cloud like an <em>S3</em> or a <em>VPS</em> and even in containers like <em>EKS</em> or <em>AKS</em> etc. </p> <p>The frontend starts from the same point and when consulted by a client perhaps thousands of kilometers away over the Internet, the frontend is rendered on the client's machine obtaining the static files and the basic parameters to interact with the backend.</p> <p>In this sense, a solution that is continually accepted and widely used for many connections such as <em>SSH</em>, <em>SFTP</em> is the concept of symmetric keys (public/private).</p> <p>This concept is shown in the following figure.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa7789svj4r8xyf8nfl7f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa7789svj4r8xyf8nfl7f.png" alt="simmetric-keys" width="710" height="700"></a></p> <p>When the client (rendered frontend) sends data through forms such as this case a login/register, the data previously on the client's computer is encrypted with the public key which, as indicated, is publicly distributed.</p> <p>This encrypted data flow travels through either <em>HTTP</em> or HTTPS (the latter recommended for security), adding a second value to the security of the information provided by a client.</p> <p>This concept allows you to survive <em>Man-In-The-Middle</em> techniques, solving a second-instance vulnerability associated with the capture of sensitive data such as credentials, email, credit card numbers, among others.</p> <p>In the following figure I show an authentication flow for login/register that allows data to be encrypted on the client using the public key. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft33nojwz29n8yqy7ms6p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft33nojwz29n8yqy7ms6p.png" alt="simmetric-keys-login" width="800" height="579"></a></p> <p>This data travels through the medium, in this case the Internet, from a remote site to the backend, being secured by both <em>HTTPS</em> and <em>encryption</em>. </p> <p>When it reaches the backend, this data is decrypted by it using the private key, which is only known to the backend's secured services.</p> <p>I share a repository on GitHub with code in Nest.JS and Spring Boot Java for your observation.</p> <p><strong>GitHub:</strong> <a href="https://github.com/raulrobinson/symmetric-keys" rel="noopener noreferrer">https://github.com/raulrobinson/symmetric-keys</a></p> <p><em>@Author:</em> Raul Bolivar Navas<br> <em>Email:</em> <a href="mailto:rasysbox@hotmail.com">rasysbox@hotmail.com</a></p> security springboot nestjs fullstack