Blog

Categories:
1. 2. 2025
Security Cryptography
SASL analysis, part four

SASL Analysis, Part Four

This part will be devoted to the continuation of the analysis of technologies based on authentication in the cooperation of several parties. It will mainly include the analysis of OAUTH2 and technologies based on it. Next will be the analysis of SAML. The analysis of the technological predecessor OAUTH10A is in the previous article, which can be found at SASL Analysis, Part Three.

OAUTH2

The second generation authentication mechanism is designed to provide an extension of the possibilities in case of delegation of permissions. Again, it approaches the topic in the same way, using text or JWT tokens, transmitted by HTTPS (HTTP protocol in SSL/TLS tunnel) as a single protective layer. Other protection of user data is not available for text tokens and transmitted authentication information. Furthermore, the request for a token may not be requested by applications, but it may be another authorization domain (delegation of permissions). This way of transferring permissions between individual federated domains. This way of exchanging information is standardized, i.e. it is possible to delegate permissions to another domain. At the same time, the way of managing different domains is standardized. This is a significant operational difference compared to OAUTH1. From the security point of view, the differences are significantly smaller, the only change is the support of JWT tokens, which have built-in support for confidentiality and integrity protection.
At the beginning, the user must authenticate and register the applications. Logging takes place in a simple way, where the user enters a password, the server processes that password and compares it with the stored data (stored e.g. using the Argon2 function). In the picture, the authentication and authorization system are combined into one. In all schemes, only the term authorization server is used, because OAUTHx addresses the allocation of permissions. Authentication is done through other mechanisms. For other activities, only a login is required, based on the type of permission provided, the system selects between the following possible methods:
Authorization Code Grant: The user sends an authentication request. The authorization server provides the login using the authentication server, and then returns the URL and the Auth Code. The user forwards the specified requests to the application, which forwards the Auth Code to the authorization server. After authentication, it receives two tokens, the Access Token and the Refresh token. The Refresh token can be used to extend data access using the authorization server, the Access Token is sent to the data system (server). The Access Token allows access to the specified data.
Client Credentials Grant: The user sends an authentication request. The authorization server provides the login using the authentication server, and then returns the URL and the Access Token. The user forwards the specified requests to the application, which connects with the authorization system to ensure the authorization of data access.
Device Autorization Grant: The user sends an authentication request. The authorization server provides the login using the authentication server, and then returns the URL and the Device Code. The user forwards the specified requests to the device, which connects to the authorization system to secure the authorization of the data access.
Implicit Grant: The user sends the authentication request. The authorization server provides the authentication server login and then returns the Access Token. The user forwards the specified requests to the application, which is no longer authenticated and uses the token to secure its access to the data system (server). The specified method is used as a form of simplified solution and it is advisable to use other methods.
Resource Owner Password Grant: The user sends the authentication request. The authorization server provides the authentication server login and then returns the URL and the Device Code. The user forwards the specified requests to the application, which connects to the authorization system to secure the authorization of the data access.
The specified methods differ only in message flow and permissions for access to sensitive data (such as passwords). The token can be in text format or in JWT (JSON Web Token) format. In text mode, cryptography usage remains only at the transport channel level. In the case of JWT, the token can be digitally signed.
Processing tokens:
Pro Access Token / Bearer Token and pro Refresh Token: For JWT, HMAC-SHA256 is used for symmetric signature, for asymmetric RSA/RSASSA-PKCS1-v1_5 or ECDSA. For content encryption, AES-GCM is recommended for JWT. For token text form, encryption is not used.
For Authorization Code: cryptographic protection is not used, content is generated using a secure randomness generator. For content encryption, AES-GCM is recommended for JWT.

Channel Binding: No
Realms: Yes
Crypto-primitives: runout (RSA), current (SHA256, ECDSA)
Number of pages at authentication: 3 to 4
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Relay protection: Yes
Hijack protection: Yes
Forge protection: Yes
MFA support: Yes
Integrity protection: TLS, internal for JWT
Encryption type: TLS, internal for JWT

OAUTH2 Protokol

OAUTHBEARER

This is OAUTHBEARER → Server authentication against OAUTH2 server. It uses a text or JWT token (JSON Web Token). This mechanism is associated with OAuth 2.0 and provides authorization through the use of the so-called Bearer Token, otherwise Access Token. The token is a unique identifier and is presented by the client as evidence to authenticate access rights. The token is transmitted through HTTPS because it contains no internal protection against eavesdropping or misuse. Like OAUTH2 tokens, it can be in plain text or JWT format. OAUTH2 links can be summarized as:
- OAUTHBEARER was designed to work with Access Tokens generated within the OAuth 2.0 protocol.
- After authentication, it is possible to obtain the Bearer Token via OAuthorization Code Grant, Client Credentials Grant, Device Authorization Grant, Implicit Grant, or Resource Owner Password Grant through OAUTHBEARER 2.0. Once the token is available, it is used for authentication against the server providing the data.

Channel Binding: No
Realms: Yes
Crypto-primitives: Exit (RSA), current (SHA256, ECDSA)
Number of pages at authentication: 3
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Relay protection: Yes
Hijack protection: Yes
Forge protection: Yes
MFA support: Yes
Integrity protection: TLS, internal for JWT
Encryption type: TLS, internal for JWT

OAUTH2 Protokol

XOAUTH2

Just as XOAUTH is an extension of OAUTH technology for mail servers, the XOAUTH2 protocol is a specific extension of OAUTH2. It is a variant of the protocol, the actual communication remains virtually unchanged. Roughly, the technological development can be described as OAUTH → OAUTH2 → XOAUTH2. Even in this case, the XOAUTH2 protocol is used for authentication for mail servers, i.e. for SMTP, IMAP4 and POP3 protocols. In this case, it is possible to treat the application and resource server as if they were combined into one system.

Channel Binding: No
Realms: Yes
Crypto-primitives: Runout (RSA), current (SHA256, ECDSA)
Number of pages in authentication: 4
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Relay protection: Yes
Hijack protection: Yes
Forge protection: Yes
MFA support: Yes
Integrity protection: TLS, internal for JWT
Encryption type: TLS, internal for JWT

OAUTH2 Protokol

OPENID20

OpenID is an extension of the OAUTH2 authorization scheme to include an identity verification method and provides a fed authorization system service. Again, support for secure password exchange is desperately weak. As part of the authentication, it supports directly MFA and rate/limit as a form of protection against password attacks. Unlike OAUTH2, it no longer supports text tokens, but only JWT tokens.
At the beginning, the user must authenticate and register the applications. Logging in is done in a simple way, where the user is redirected to an authentication server (IDP - Identity Provider) after a request for authentication, where he enters a password, or uses MFA. The password is again transmitted as open text, not in a protected way. IDP Server processes the password and any other factors, and compares it with the stored data (passwords stored e.g. using the Argon2 function). Subsequently, it sends information about the user's identity. Unlike OAUTH2, it only uses the Access Token and Refresh Token, which limits the possibilities of exchanging information to three basic methods – Authorization Code flow, Hybrid Flow and Implicit flow.
Authorization Code Flow: After logging in, the authorization code and status are sent to the authorization server. This creates an ID Token, Access Token and Refresh token, which it sends to the user. This provides the Access Token to the application, Refresh uses the token to request a new Access Token. It uses the ID token to verify the identity of the applicant. This approach is similar to Authorization Code Grant and is the preferred option.
Hybrid Flow is similar to Authorization Code Flow. Unlike the previous one, however, Access Token is obtained immediately based on the authorization code, it is not necessary to prove ownership of the authorization code. On the one hand, this simplifies the operation, on the other hand, it also limits the possibilities of controlling the access permissions. From a certain point of view, this can be seen as a security weakness.
Implicit Flow: It is similar to Implicit Grant. It is currently not recommended. At initial login, it does not use the authorization code to obtain Access Token, therefore there is a higher risk of misuse.
As in the case of OAUTH2 and OAUTHBEARER, JWT tokens and their contents can be protected using the following algorithms:
For Access Token and for Refresh Token: For JWT, HMAC-SHA256 is used for symmetric signature, for asymmetric RSA/RSASSA-PKCS1-v1_5 or ECDSA. For content encryption, AES-GCM is recommended for JWT.
For Authorization Code: cryptographic protection is not used, content is generated using a secure randomness generator. For content encryption, AES-GCM is recommended for JWT.

Channel Binding: No
Realms: Yes
Crypto: Runtime (RSA), current (SHA256, ECDSA)
Number of pages at authentication: 3 to 4
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Relay protection: Yes
Hijack protection: Yes
Forge protection: Yes
MFA support: Yes
Integrity protection: TLS, internal for JWT
Encryption type: TLS, internal for JWT

OAUTH2 Protokol

SAML

This is an open-source OASIS (Organization for the Advancement of Structured Information Standards) standard. The proprietary SAML language originated from AuthXML, ITMP (Information Technology Markup Language), S2ML (Security Services Markup Language), X-TASS (XML Trust Assertion Service Specification). From a realisation point of view, this is an XML scheme that allows to define and prove several basic states. It is an authentication, authorization or specific attribute state. Information is exchanged at different levels within this protocol. Only five examples are given for each of these levels. This material is not intended to provide an exhaustive description of the SAML standard, only an idea of how it works.
Assertions: this is a number of types of documents that contain information relevant for logging in. This is user information and information related to authentication. Most of the information given is of limited validity (Assertion Expiry), limited use for specific service providers (Audience restriction) and must always be digitally signed. Custom assertions can be e.g. Authentication Assertion (when and how the user was authenticated), Attribute Assertion (user parameters, i.e. name, group, role), Delegation Assertions (delegating authority to another entity), Subject Confirmation Assertion (how the user is authenticated), Session Assertion (what parameters and session duration) and more.
Protocols: this is a definition of an assertions transfer. Examples include Authentication Request Protocol (Service Provider asks Identity Provider to authenticate assertions), Artifact Resolution Protocol (allows you to obtain SAML aserce based on an artifact), Name Identifier Management Protocol (changing user ID between Service Provider and Identity Provider), Name Identifier Mapping Protocol (exchanging user ID between Service Provider and Identity Provider), Single Logout Protocol (allows you to unsubscribe from services), and more.
Bindings: defines requests and how to transfer. Examples include HTTP Artifact Binding (uses HTTP to transfer artifacts, artifacts contain negotiation and transfer assertions), HTTP Redirect Binding (uses HTTP redirection with parameters in URL), HTTP POST Binding (SAML aserce is sent as a form POST), PAOS Binding (Reverse SOAP over HTTP for communication between client and Identity Provider), SMTP Binding (uses SMTP for exchanging messages via email), and much more.
Profiles: defines the use of assertions to meet authentication and authorization requirements. For example, there are Attribute Query Profile (allows SP to request IdP for additional user attributes), Enhanced Client or Proxy (ECP) Profile (allows client authentication instead of browser, Mobile SSO Profile (optimized for logging in from mobile devices), Single Logout Profile (allows user logout on all connected services), Web Browser SSO Profile (allows user to log in once and then access multiple services) and many more.
Security: Defines different types of security assertions, protocols and bindings. For one thing, it can be a security at the transport level SSL/TLS layer. At the message level, XML encryption is used, which uses AES-CBC or AES-GCM with 128b/256b keys. Messages can also be digitally signed, for which a signature is used using the RSA algorithm (RSA+SHA256) or ECDSA (ECDSA NIST P-256+SHA256).
The system itself uses two main methods to control the allocation of permissions, a method enforced by the service provider (e.g. application or service provider) and a method enforced by the identity provider.

SP-Initiated SSO (Service Provider Initiated)
- The user requests access to an application or service (Service Provider).
- The Service Provider redirects the user to the Identity Provider with an authentication request (SAML AuthnRequest).
- The Identity Provider authenticates the user (password, MFA, certificate, etc.).
- The Identity Provider creates SAML Assertion and redirects the user back to the Service Provider.
- The Service Provider authenticates SAML Assertion and logs the user.
- The application asks the authorization system for access to data (OAuth, policy rules).
- The authorization system authenticates access and allows the application to obtain data from the provider.

IdP-Initiated SSO (Identity Provider Initiated)
- The user logs the Identity Provider directly.
- The Identity Provider creates SAML Assertion and redirects the user to the Service Provider.
- The Service Provider verifies the SAML Assertion and logs the user.
- The application asks the authorization system for access to the data.
- The authorization system verifies the access and allows the application to obtain the data.

SAML allows the use of various types of authentication mechanisms. Of course, it supports the PLAIN/LOGIN method, which is protected only by TLS. Furthermore, authentication using digital certificates RSA or ECDSA, Kerberos, smart cards and FIDO2/WebAuthn, or external identities provided e.g. by OAuth2, OpenID Connect and others. In addition to the actual authentication, authentication information can be provided by SSO, where both transport encryption and encryption of the own transferred assertion are used for the transfer assertion data (more about the encryption assertion is in the security property).

Channel Binding: No
Realms: Yes
Crypto-primitives: Run-Out (RSA), Current (SHA256, ECDSA)
Number of pages at authentication: 3 to 5
PQC/QRC: No
ZKP: No
Crypt interface support: Under certain conditions
Tokenization: Yes
Uniqueness: Yes
Credentials protection: TLS
Replay protection: Yes
Relay protection: Yes
Hijack protection: Yes
Forge protection: Yes
MFA support: Yes
Integrity protection: TLS, internal for JWT
Encryption type: TLS, internal for JWT

SAML SP-Initiated

Conclusion

This episode has completed an overview of the mechanisms used. Based on the information provided, it is obvious that some mechanisms are not suitable to use, while for others it is necessary to be extremely careful about the setting and configuration of both the environment and the protection layers used. Despite all the protections, the most common method for user authentication is to send this information in plaintext (PLAIN or LOGIN method), where the only protection is the TLS layer. In this case, however, mTLS (Mutual TLS, i.e. mutual verification of certificates within TLS) is required for adequate protection. In another case, any SSL inspection will allow an attacker to access authentication data. Unfortunately, any form of MFA does not prevent against these types of attacks.
In the next part SASL Analysis, Part Five, the libraries used will be discussed and criticism and evaluation of individual schemes will be given, the risks will be specified and recommendations on how to prevent these problems.

Reference:

  1. A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth
    Source: https://www.rfc-editor.org/
  2. The OAuth 2.0 Authorization Framework: Bearer Token Usage
    Source: https://www.rfc-editor.org/
  3. The OAuth 2.0 Authorization Framework
    Source: https://www.rfc-editor.org/
  4. OAuth 2.0 Token Exchange
    Source: https://www.rfc-editor.org/
  5. JSON Web Token (JWT)
    Source: https://www.rfc-editor.org/
  6. JSON Web Signature (JWS)
    Source: https://www.rfc-editor.org/
  7. JSON Web Encryption (JWE)
    Source: https://www.rfc-editor.org/
  8. The SASL XOAUTH2 Mechanism
    Source: https://developers.google.com/
  9. What is OpenID Connect and How OpenID Connect Works.
    Source: https://openid.net/
  10. OpenID Specification.
    Source: https://openid.net/
  11. OpenID Authentication 2.0 - Final.
    Source: https://openid.net/
  12. SAML Specifications.
    Source: https://saml.xml.org/
  13. Security Assertion Markup Language (SAML) V2.0 Technical Overview.
    Source: https://www.oasis-open.org/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

Podobné články

Sharing files with SMB protocol and cryptography
16. 9. 2024
Sharing files with SMB protocol and cryptography
Sharing files with NFS protocol and cryptography
17. 9. 2024
Sharing files with NFS protocol and cryptography
Quantum computer resistant algorithms
27. 9. 2024
Quantum computer resistant algorithms
Storing password with Crypt interface
8. 10. 2024
Storing password with Crypt interface
logo

Your learning platform for cryptography
and security.

Jan Dušátko
info@cryptosession.cz
+420 602 427 840

Pod Harfou 938/58
190 00, Praha 9

IČ: 43479766
DIČ: CZ 7208253041

Bank no.:
78-7768770207/0100

© 2025 Cryptosession.cz Design: Lukáš Kejha, Development: Karel Tropp

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.