2017 dev nexus_deconstructing_rest_security

DevNexus
#RESTSecurity @dblevins @tomitribe
Deconstructing REST Security
David Blevins
Tomitribe

DevNexus
“The nice thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum

DevNexus
Focus Areas
• Beyond Basic Auth
• Theory of OAuth 2.0
• Introduction of JWT
• Google/Facebook style API security
• Stateless vs Stateful Architecture
• HTTP Signatures
• Amazon EC2 style API security

DevNexus
Baseline Architecture
1000 users
x 3 TPS
4 hops
3000 TPS
frontend
12000 TPS
backend

DevNexus
Basic Auth
(and its problems)

DevNexus
Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}

DevNexus
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
(no auth)
3000 TPS
(LDAP)
12000 TPS
(HTTP)

DevNexus
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
username+password
Base64
15000 TPS
(LDAP)
Password Sent
12000 TPS
(HTTP)

DevNexus
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
IP
whitelisting
3000 TPS
(LDAP)
12000 TPS
(HTTP)

DevNexus
“Hey, give me all
of Joe’s salary
information.”
“I don’t know
who you are,
…
but sure!”

DevNexus
Latveria Attacks

DevNexus
Basic Auth - Attacks
Valid
Password Sent
3000 TPS
(HTTP+SSL) IP
whitelisting
9000 TPS
(LDAP)
12000 TPS
(HTTP)
Invalid
Password Sent
6000 TPS
(HTTP+SSL)

DevNexus
OAuth 2.0
(and its problems)

DevNexus

DevNexus
OAuth 2 - Password Grant
(LDAP)
(Token Store)
POST /oauth2/token
Host: api.superbiz.io
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
Verify
Password
Generate
Token

DevNexus
OAuth 2.0 Message
POST /painter/color/object HTTP/1.1 
Host: api.superbiz.io 
Authoriza>on: Bearer 2YotnFZFEjr1zCsicMWpAA 
User-Agent: curl/7.43.0 
Accept: */* 
Content-Type: application/json 
Content-Length: 45 
 
{"color":{"b":255,"g":0,"r":0,"name":"blue"}}

DevNexus
OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1 
Accept: */* 
 
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

DevNexus
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1 
Accept: */* 
 
{"color":{"b":255,"g":0,"r":0,"name":"red"}}

DevNexus
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1 
Accept: */* 
 
{"color":{"b":255,"g":255,"r":0,"name":"yellow"}}

DevNexus
OAuth 2.0 Message
POST /painter/color/stroke HTTP/1.1 
Accept: */* 
 
{"color":{"b":255,"g":200,"r":0,"name":"orange"}}

DevNexus
401

DevNexus
OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Password
Generate
Token
POST /oauth2/token
Accept: */*
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}

DevNexus
Old pair
• Access Token 2YotnFZFEjr1zCsicMWpAA
• Refresh Token tGzv3JOkF0XG5Qx2TlKWIA
New pair
• Access Token 6Fe4jd7TmdE5yW2q0y6W2w
• Refresh Token hyT5rw1QNh5Ttg2hdtR54e

DevNexus
OAuth 2.0 Message
Authoriza>on: Bearer 6Fe4jd7TmdE5yW2q0y6W2w 
Accept: */* 
 

DevNexus
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1 
Accept: */* 
 
{"color":{"b":255,"g":0,"r":0,"name":"red"}}

DevNexus
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1 
Accept: */* 
 
{"color":{"b":255,"g":255,"r":0,"name":"yellow"}}

DevNexus
What have we achieved?

DevNexus
You have more passwords
(at least your devices do)

DevNexus
Term Alert
• Password Grant???
• Logging in
• Token?
• Slightly less crappy password
• Equally crappy HTTP Session ID

DevNexus
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend

DevNexus
“Who the heck
is
6Fe4jd7TmdE5y
W2q0y6W2w
???????”
“No idea, dude.
Ask the token
server.”

DevNexus
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend

DevNexus
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend
55% of all traffic

DevNexus
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
0 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
0 TPS
(token checks)
0 hops
0 TPS
backend

DevNexus
OAuth 2
Pointer Pointer
State

DevNexus
Access Token
Access Pointer?
Access Primary Key?

DevNexus
OAuth 2.0
High Frequency Password
Exchange Algorithm?

DevNexus
Hashing and Signing
Symmetric and Asymmetric

DevNexus
OAuth 2.0
+
JSon Web Tokens (JWT)

DevNexus
JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expiration

DevNexus
Access Token Previously
• 6Fe4jd7TmdE5yW2q0y6W2w

DevNexus
Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoi
YWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhb
mltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3
VwZXJiaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l
0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFi
MDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2
DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8
GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXG
DL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

DevNexus
Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard keys such as expiration
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone

DevNexus
• { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "hdps://demo.superbiz.com/oauth2/token",
"scopes": [
“twider”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"j>": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

DevNexus
Subtle But High Impact
Architectural Change

DevNexus
What we had
(quick recap)

DevNexus
(LDAP)
Pull User Info
From IDP

DevNexus
(LDAP)
Generate an
Access Token
(pointer)

DevNexus
(LDAP)
Insert both
into DB

DevNexus
(LDAP)
Send Access Token (pointer)
to client

DevNexus
Results
Client Holds Pointer Server Holds State

DevNexus
What we can do now
(Hello JWT!)

DevNexus
(LDAP)
Format the data
as JSON

DevNexus
(LDAP)
RSA-SHA 256
sign JSON

DevNexus
(LDAP)
Insert only
pointer
into DB
(for revocation)

DevNexus
(LDAP)
Send Access Token (state)
to client

DevNexus
Client Holds State Server Holds Pointer
Desired
Results

DevNexus
OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Accept: */*
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}

DevNexus
OAuth 2.0 Message with JWT
Authoriza>on: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Accept: */* 
 

DevNexus
OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verification)
12000 TPS

DevNexus
“Hey, give me all
of Joe’s salary
information.”
“Not a chance!”

DevNexus
“Hey, give me all
of Joe’s salary
information.”
“Sure thing!”

DevNexus
OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
12000 TPS
Invalid
Tokens Sent
6000 TPS
(HTTP+SSL)

DevNexus
http://connect2id.com/products/nimbus-jose-jwt
Great JWT lib

DevNexus
HTTP Signatures
(Amazon EC2 style API Security)

DevNexus
HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves identity
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Draft
• https://tools.ietf.org/html/draft-cavage-http-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT (they’

DevNexus
Signature Message
Authorization: Signature keyId=“my-key-name",
algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" 
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */* 
 

DevNexus
Signature closeup
Signature
keyId=“my-key-name",
algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=

DevNexus
Signature Auth
Password Sent
0 TPS
(HTTP)
Signature (no auth)
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

DevNexus
Signature Auth
Password Sent
0 TPS
(HTTP)
Signature Signature
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

DevNexus
“Hey, give me all
of Joe’s salary
information.”
“Hey, Larry!
Sure!”

DevNexus
OAuth and Signatures
Password Sent
3000 TPS
(HTTP+SSL)
OAuth 2 Signature
12000 TPS
(HTTP)

DevNexus
“Hey, give me all
of Joe’s salary
information.”
“Sure thing,
Larry!
Tell Joe I said hi.”

DevNexus
OAuth and Signatures
Password Sent
3000 TPS
(HTTP+SSL)
OAuth 2 Signature
12000 TPS
(HTTP)
Joe
Larry
Stan

DevNexus
Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Identity Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implications
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future

DevNexus
Thank You!

2017 dev nexus_deconstructing_rest_security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to 2017 dev nexus_deconstructing_rest_security (20)

More from David Blevins (8)

Recently uploaded (20)

2017 dev nexus_deconstructing_rest_security