Blog

Categories:
18. 2. 2025
Security Cryptography
Web services authentication mechanisms

Web Services Authentication Mechanisms

Part of the security of web services are authentication and authorization mechanisms, allowing access to the data only for the corresponding persons. The question is how well known are the restrictions. These settings should include appropriate architecture, protection and detection means. Today, web portals are used in all organizations, and inappropriate data protection has consequences.

Web Browser Authentication Mechanisms

Another loose continuation of authentication mechanisms deals with the issue of web browsers this time. Their access to authentication data protection is very loose and relies mainly on transport encryption. Unfortunately, the SSL/TLS layer has its limitations, which must be taken into account. Therefore, it is necessary to start explaining how the HTTP authentication itself works, what the SSL/TLS layer offers, and where these methods meet.
The most often underestimated impact on the security of authentication mechanisms is the passing of parameters within the URL, when the passed values are stored, for example, in traffic records. Another vice is the underestimation of the necessary security, part of the pages may have protection set, but in case of redirection to the authentication portal, this protection is missing. Similarly, SSL/TLS security is problematic, when the protection against a possible SSL Inspection is not set. As a last influence, it is also necessary to include the telemetry information of the browser, the ability to automatically correct text or various plugin modules, which send information to their authors. Therefore, browsers cannot be taken as safe environment and authentication algorithms should always require an additional factor for the reasons given.

HTTP protocol authentication principles

In case of accessing a web address, the normal response to a GET query from a web page is OK 200. Subsequently the requested data is sent. In case of accessing protected content, however, the communication is slightly different. In case of a GET query, the page returns the code 401 Unauthorized, which forces authentication by the client. If the authentication ends in an error, the code 403 Forbidden is returned. Of course, other codes are possible, such as the code 404 Not Found, but this is no longer related to authentication.

Authentication mechanisms available

Currently, the most commonly used mechanisms in the table below are available for both Brave browsers, Chrome, Chromium, Edge, Firefox, Opera, Safari, Vivaldi and more. On the web site side, such as Apache, Apache Tomcat LightHttp, Microsoft IIS and NGINX are the same set. The difference here is created by support for internal infrastructure, where additional mechanisms such as Kerberos, LDAP and SAML are supported.

Authentication mechanismCryptoprimitivesOrigin SSL/TLS supportRFC and standards
HTTP Basic AuthenticationBASE641996 Optional but recommended (TLS 1.0+)RFC 7617
HTTP Digest AuthenticationMD5
SHA256		1997 Optional but recommendedRFC 7616
WebAuthnECDSA
SHA-256
AES		2018 Requires HTTPS
support from SSL 3.0
recommended TLS 1.2+		W3C WebAuthn
RFC 8809
TLS Client Certificate AuthenticationX.509 Certificates1995 TLS 1.0+, better TLS 1.2+RFC 2246
RFC 5246
RFC 8446
OAuth 2.0RSA
ECDSA
SHA256		2012 Requires HTTPS (TLS 1.2+)RFC 6749
RFC 6750
OpenID ConnectRSA
ECDSA
SHA256		2014 Requires HTTPS (TLS 1.2+)OpenID Core 1.0
RFC 7519

HTTP Basic Authentication

This is the simplest form of authentication. In case of detection of authentication request, i.e. return of error message 401 Unauthorized along with WWW-Authenticate: Basic realm="Secure Area" will be headed on next HTTP query added value to request:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQK
The text string behind the authentication type definition contains the string username:password encoded using Base64. Because it is an encryption, not an encryption, it is necessary to use transport encryption protection (SSL/TLS). In another In case it is possible to obtain the original username and password extremely easily.

Channel Binding: No
Realms: No
Cryptoprimitives: No
Authentication participants: 2
PQC/QRC: No
ZKP: No
Crypt interface support: Server side
Tokenization: No
Uniqueness: No
Credentials protection: No
Replay protection: No
Protection against Relay: No
Hijack protection: No
Forge protection: No
MFA support: Possible, there must be application level support
Integrity protection: No
Encryption type: No, necessary to use SSL/TLS

HTTP Digest Authentication

This is a slightly improved but still outdated form of authentication. Unlike plaintext authentication, hash usage occurs MD5. The weaknesses of the hash function led to the release of the new RFC 7616 in 2015, which allowed the MD5 function to be replaced by hash functions of the SHA2 family (SHA2-256, SHA2-384, SHA2-512, SHA2-512/256). When using HTTP Digest Authentication with hash function SHA2 thus significantly improves its safety properties. Custom login again occurs in case of access to deny access using the error message 401 Unauthorized along with the following information:
WWW-Authenticate: Digest
realm="Secure Area", nonce="000102030405060708090a0b0c0d0e0fff",
qop="auth", opaque="5ccc069c403ebaf9f0171e9517f40e41"

Based on the answer, it is possible to detect whether the standard MD5 algorithm is used or a new standard with SHA2 support. In the case of in the SHA2 hash function, the response is extended by algorithm=SHA-256. Client detecting authentication request subsequently asks to be connected again. In the header this time it will add some data from refusal of access along with information that can server perform its authentication. These are the following dates:
Authorization: Digest username="user", realm="Secure Area",
nonce="000102030405060708090a0b0c0d0e0fff", uri="/secure",
response="123456789abcdef123456789abcdefff", qop=auth, nc=00000001, cnonce="02468ace"
The answer is calculated as the result of the hash function (example for MD5) with the following content.
response = MD5(MD5(username:realm:password)+nonce+nc+cnonce+qop+MD5(method:uri)

Channel Binding: No
Realms: No
Cryptoprimitives: MD5, SHA2
Authentication participants: 2
PQC/QRC: No
ZKP: No
Crypt interface support: Server side
Tokenization: No
Uniqueness: No
Credentials protection: Yes
Replay protection: Yes
Relay protection: No
Hijack protection: No
Forge protection: Yes
MFA support: Possible, there must be application level support
Integrity protection: No
Encryption type: Hash, necessary to use SSL/TLS

TLS Client Certificate Authentication

In the case of authentication using a client certificate, the most common problem is a possible misstep with mTLS (mutual TLS), because these are extremely similar technologies. In normal TLS connection-making, a server certificate is provided in order to initialize a secure connection. Even in this area, there is a simple misstep, as it does not verify the server's correct certificate, but it does verify its validity and some of the certificate's properties. These are two different pieces of information with different meanings.

In the case of detection of an authentication request, an error message 401 Unauthorized is returned along with the information:
WWW-Authenticate: TLS-Cert Other alternatives requiring certain conditions are answers containing outside of the certificate request further clarifications of their various combinations:
• Certificate's affiliation to a specific CA
  nbsp;WWW-Authenticate: TLS-Cert, CA="CN=TrustedAuthority, O=Organization, C=Country"
• Required attribute
 WWW-Authenticate: TLS-Cert, Subject="CN=Name Surname, O=Organization"
• Required specific policy
 &&&& WWW-Authenticate: TLS-Cert, Policy="1.2.840.113549.1.1.11"
• Required specific certificate signing algorithm
 & WWW-Authenticate: TLS-Cert, Alg="ECDSA"
Other parameters include SAN (Subject Alternate Name), Serial Number, and certificate imprint. Based on the information obtained the client terminates the connection and creates a new one where it provides the server with information about its client certificate.
During the process of establishing the prompt that the client signs is exchanged. The client of the server, based on its request (Certificate Request), additionally responds with the requested information about its certificate.
Client Certificate: [Base64-encoded X.509 certificate] Signature: [Digitally signed challenge]
This is actually a classic Client Certificate message during the TLS connection initialization. Subsequently, the server checks whether the client certificate is valid and meets the defined conditions. Then, the client reapplies for access to the source, the server, based on the available information, pairs the client certificate against the source authentication requirements. This is therefore an optional authentication of the client, usually used for VPNs and secure sites. For establishing the connection to the communication channel (Channel Binding), it can be used tls-unique and tls-server-end-point, where tls-unique in TLS 1.3 is no longer supported.
In the case of mTLS, during the TLS layer-level connection, the server certificate is provided in order to initialize the secure connection. Even during this initialization, the server requires a certificate, but here it is a mandatory authentication of the client. It is usually used for various APIs, micro-service communications or even Kubernetes.
An interesting feature of TLS Client Certificate Authentication is the possibility of user authentication and specific links to a certificate, for example using a user database, Active Directory or LDAP database, OAuth 2.0 and OpenID Connect. In this case, it is possible to proceed with further comparison of certificate properties on the application layer.

Channel Binding: Possible
Realms: No
Crypto-primitives: by ciphersuites SSL/TLS
Attendees authentication: 2
PQC/QRC: Not by default, possible by TLS 1.3
ZKP: No
Support crypt: No
Tokenization: No
Uniqueness: Yes
Protection credentials: Yes
Protection against Replay: Yes
Protection against Relay: Yes
Protection against Hijack: Yes
Protection against Forge: Yes
Support for MFA: Possible, there must be support at the application level
Integrity protection: Yes
Encryption type: SSL/TLS, part of authentication

WebAuthn

Currently, the most widely publicized authentication standard is WebAuthn, which allows you to use a variety of methods to authenticate key material or support biometric authentication. The goal is to minimize the use of passwords, which are often characterized by low entropy, lack of randomness and unpredictability, in favor of key material. Key material is unique to the user/server combination. This also reduces the risk of multiple use of identical passwords across different systems. On the server side, there is no need for a password database, which reduces the likelihood of their leakage. Public keys are useless to the attacker, as a matter of principle they are available to everyone. Furthermore, this protocol requires the use of at least TLS 1.2 or higher version to protect the transferred information.
WebAuthn works very simply by using asymmetric cryptography. At the beginning, the client generates a pair of keys. The private key remains locally stored (TPM, token, enclave, strongbox). The public key is then registered on the server side. As a result, the server has information about the user and the corresponding public key. In case of use of biometric verification biometrics are only used to allow access to key material. If the user wants to log in, sends information about the server request. The client then sends a call, which the client signs and sends back to the server. There is thanks signature verification options using a public key can get information if the corresponding user is logging in.

Registration:
Server → Client:  CS = RND (32B)
Client:        M = CS || CredentialID || KPublic
Client:        Signature = DSA (KPrivate, M)
Client → Server:  Response={M, Signature}

Login:
Server → Client:  CS=RND(32B)
Client:        M=CS∥ClientData∥AuthenticatorData
Client:        Signature=DSA(KPrivate,M)
Client → Server:  Response={CS,AuthenticatorData,Signature,credentialId}

Channel Binding: Possible
Realms: No
Cryptoprimitives: by ciphersuites SSL/TLS
Authentication participants: 2
PQC/QRC: Not by default, possible with TLS 1.3
ZKP: No
Crypt interface support: No
Tokenization: No
Uniqueness: Yes
Credentials protection: Yes
Replay protection: Yes
Protection against Relay: Yes
Hijack protection: Yes
Protection against Forge: Yes
MFA support: Possible, there must be application level support
Integrity protection: Yes
Encryption type: SSL/TLS, authentication included

OAuth 2.0

Outside the upcoming WebAuth, which is especially popular because of its connection with various tokens (Yubikey, Titan …) or TPM, are another popular method of authentication third-party systems. These provide authentication and provide authorization information for accessing web portals or applications. In case of OAuth 2.0 it is possible to use the functionality of federated verification. This algorithm is described among the SASL mechanisms in another article, so here I will describe only the basic difference when using the web interface. If necessary, understand the principle of operation I recommend using the link dedicated to this protocol The OAuth 2.0 interface requires the use of TLS 1.2+ to ensure secure communication. Unlike OpenID Connect allows the use of a refresh token to create a new token request. The procedure then looks approximately as follows. Client tries to sign in with a specific token or accesses without a token: Authorization: Bearer <expired_token>

The server returns an error message that indicates an invalid or expired token. The same way returns it even if when the user has not yet been logged in.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="REALM", error="invalid_token", error_description="The access token is expired"

The client needs to get the corresponding token, so they need to log in again on the authentication server:

Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>

Authentication server issues a new token:
HTTP/1.1 200 OK
Content-Type: application/json

{
  nbsp nbsp;"access_token": "new_access_token",
  nbsp nbsp;"token_type": "Bearer",
  nbsp nbsp;"expires_in": 3600
}
The client connects to the application server again:
Authorization: Bearer new_access_token

And if the token is correct, the application server will allow access:
HTTP/1.1 200 OK

Channel Binding: No
Realms: Yes
Crypto-primitives: Obsolete (RSA), current (SHA256, ECDSA)
Pages on authentication: 3 to 4
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Relay protection: Yes
Hijack protection: Yes
Forge protection: Yes
MFA support: Yes
Integrity protection: TLS, internal for JWT
Encryption type: TLS, internal for JWT

OpenID Connect

OpenID Connect is a variant of OAuth 2.0 and is also described in a separate article. Here, too, the basic differences are described using the web interface. If necessary to understand the principle of operation I recommend to use the link dedicated to this protocol OpenID Connect requires the use of TLS 1.2+ to ensure secure communication. Unlike OAuth 2.0, it requires a new login to create a request for a new token. The verification procedure then looks like the following:
Client tries unsuccessfully to log in, server requests authorization
Authorization: Bearer

The server responds to the OIDC authentication request
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example", error="invalid_token", error_description="ID Token expired"
The client is redirected to the authorization server, if it does not have a refresh token, it must be logged in again

GET https://auth.example.com/authorize?client_id=client&response_type=code
&scope=openid profile email&redirect_uri=https://client.example.com/callback
&state=random_state
Authorization server provides authorization code:
HTTP/1.1 302 Found
Location: https://client.target.tld/callback?code=code&state=random_state
The client asks for ID and access token after login
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=code&redirect_uri=https://client.example.com/callback
&client_id=client&client_secret=client_secret

After authentication, the authorization server returns the ID and access token:
HTTP/1.1 200 OK
Content-Type: application/json

{
   nbsp;"access_token": "new_access_token",
   nbsp;"id_token": "new_id_token",
   expires_in": 3600"
}

The client logs in again with the relevant information
Authorization: Bearer new_access_token
And if the token is correct, access is allowed
HTTP/1.1 200 OK

Channel Binding: No
Realms: Yes
Cryptoprimitives: Obsolete (RSA), current (SHA256, ECDSA)
Number of pages when authenticating: 3 to 4
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Protection against Relay: Yes
Hijack protection: Yes
Protection against Forge: Yes
MFA support: Yes
Integrity protection: TLS, for JWT internal
Encryption type: TLS, internal for JWT

Conclusion

Using the integrated mechanisms of browsers is a simple method, but it requires an understanding of the function of the protective mechanisms. Without knowledge of the facts, it is not possible to set security responsibly, which can have fatal consequences for data security. mechanisms are a basic defensive barrier, their configuration is necessary, but not sufficient. The same care is required to also allocate permissions and other layers of protection.

Reference:

  1. HTTP Authentication: Basic and Digest Access Authentication
    Source: https://www.rfc-editor.org/
  2. The 'Basic' HTTP Authentication Scheme
    Source: https://www.rfc-editor.org/
  3. An Extension to HTTP : Digest Access Authentication
    Source: https://www.rfc-editor.org/
  4. HTTP Authentication: Basic and Digest Access Authentication
    Source: https://www.rfc-editor.org/
  5. HTTP Digest Access Authentication
    Source: https://www.rfc-editor.org/
  6. W3C Web Authentication API (2019) – specifikace WebAuthn
    Source: https://www.w3.org/
  7. Registries for Web Authentication (WebAuthn)
    Source: https://www.rfc-editor.org/
  8. The TLS Protocol Version 1.0
    Source: https://www.rfc-editor.org/
  9. The Transport Layer Security (TLS) Protocol Version 1.2
    Source: https://www.rfc-editor.org/
  10. The Transport Layer Security (TLS) Protocol Version 1.3
    Source: https://www.rfc-editor.org/
  11. The OAuth 2.0 Authorization Framework
    Source: https://www.rfc-editor.org/
  12. The OAuth 2.0 Authorization Framework: Bearer Token Usage
    Source: https://www.rfc-editor.org/
  13. OAuth 2.0 for Native Apps
    Source: https://www.rfc-editor.org/
  14. OpenID Connect Core 1.0 (2014)
    Source: https://openid.net/
  15. OpenID Authentication 2.0 - Final.
    Source: https://openid.net/
  16. JSON Web Token (JWT)
    Source: https://www.rfc-editor.org/
  17. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
    Source: https://www.rfc-editor.org/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

Podobné články

Sharing files with SMB protocol and cryptography
16. 9. 2024
Sharing files with SMB protocol and cryptography
Sharing files with NFS protocol and cryptography
17. 9. 2024
Sharing files with NFS protocol and cryptography
Quantum computer resistant algorithms
27. 9. 2024
Quantum computer resistant algorithms
Storing password with Crypt interface
8. 10. 2024
Storing password with Crypt interface
logo

Your learning platform for cryptography
and security.

Jan Dušátko
info@cryptosession.cz
+420 602 427 840

Pod Harfou 938/58
190 00, Praha 9

IČ: 43479766
DIČ: CZ 7208253041

Bank no.:
78-7768770207/0100

© 2025 Cryptosession.cz Design: Lukáš Kejha, Development: Karel Tropp

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.