I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http_signature
5 likes1,880 views
The document discusses advanced security extensions in Apigee Edge, including HMAC and HTTP signatures used by different companies for message-level security, integrity, and authentication. It highlights the lack of built-in policies for HMAC and HTTPSignature verification in Apigee Edge while suggesting the use of custom Java callouts to implement these features. Additionally, it emphasizes the importance of these security measures to protect against man-in-the-middle attacks and ensure the integrity of API communications.
![Who is using Signatures?
2
AWS - custom HMAC-SHA256 signature over the [ verb . host . uri . queryparams ]
Google Maps API for Work - HMAC-SHA1 over URL+query (includes clientid)
Twitter - OAuth1.0a signatures (HMAC-SHA1) over headers + params
Azure storage - HMAC-SHA256 over [ verb . contentmd5 . contenttype . date . url ]
Github's outbound webhooks - HMAC-SHA1 over the body
(prospect) Automaker - XML DSIG over payload
(prospect) WW Retailer - HttpSignature (Signature applied to select headers)
(customer) Payeezy - custom HMAC-SHA256 over select headers and body
(customer) BBC – HMAC on calls from Salesforce.com, $$ Video-on-demand
(customer) Vodafone - HMAC
(customer) O2 - HMAC](https://image.slidesharecdn.com/wed2-00advancedsecurityextensionsinapigeeedge-hmachttpsignaturedg1-151028165801-lva1-app6892/85/I-Love-APIs-2015-Advanced-Security-Extensions-in-Apigee-Edge-HMAC-and-http_signature-2-320.jpg)
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http_signature
- 1. 1 Advanced Security Extensions in Apigee Edge: ! HMAC, HttpSignature! Dino Chiesa, " Vinit Mehta
- 2. Who is using Signatures? 2 AWS - custom HMAC-SHA256 signature over the [ verb . host . uri . queryparams ] Google Maps API for Work - HMAC-SHA1 over URL+query (includes clientid) Twitter - OAuth1.0a signatures (HMAC-SHA1) over headers + params Azure storage - HMAC-SHA256 over [ verb . contentmd5 . contenttype . date . url ] Github's outbound webhooks - HMAC-SHA1 over the body (prospect) Automaker - XML DSIG over payload (prospect) WW Retailer - HttpSignature (Signature applied to select headers) (customer) Payeezy - custom HMAC-SHA256 over select headers and body (customer) BBC – HMAC on calls from Salesforce.com, $$ Video-on-demand (customer) Vodafone - HMAC (customer) O2 - HMAC
- 3. Why are these people using message-level security?" Why are they requiring signatures on their payloads? 3
- 4. Let’s talk about MITM, non-repudiation, auditing 4 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" }
- 5. Let’s talk about MITM, Non-repudiation, Auditing 5 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" } • TLS encrypts all of this, " except the hostname • TLS is point-to-point • What happens if you relay " this message beyond the " TLS-protected entry point? • If this message gets archived, how to guarantee its integrity?
- 6. Transport-layer security secures data in transit 6 Application Layer TLS Transport Layer Network layer Data Link Layer Application Layer TLS Transport Layer Network layer Data Link Layer
- 7. ? Message-layer security is independent of transport 7 Application Layer TLS Transport Layer Network layer Data Link Layer Application Layer TLS Transport Layer Network layer Data Link Layer
- 8. Message-level signatures protect the payload 8 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" } • Message-level signatures " can protect these parts of " the message, independently " of transport • Can optionally perform message-level encryption, encryption of selected " fields, etc.
- 9. MAC = Message Authentication Code " HMAC = keyed-hash MAC 9 HMAC injects a key into the normal hashing function. HMAC may be used to simultaneously verify both the integrity and the authentication of a message. MAC may be used to verify the integrity of a message.
- 10. You are smart people, " so obviously… 10 You want to verify HMACs in API proxies. Today, in Apigee Edge, you can’t.
- 11. Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to generate or validate HMACs. You’re hosed. 11
- 12. Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to generate or validate HMACs. You’re hosed. 12 Or maybe you’re not?
- 13. Code + Configure ! 13
- 14. • Embed your Java code as a policy in Apigee Edge • One Interface, one method, 2 parameters • Can read policy configuration • Can read and write context variables • … anchor anywhere in Edge policy flow • One of the ways to extend Edge " with custom code. Also JavaScript, Python, nodejs. • RTFM: " http://apigee.com/docs/api-services/ reference/java-callout-policy What are Java Callouts? 14 ©2015 Apigee. All Rights Reserved.
- 15. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Verify integrity of " any payload • Can read HMAC generated by third party libraries • Relies on secret " key or public/private key pair Java Callout for HMAC Verification or Generation 15 ©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-hmac-httpsignature
- 16. HMAC Code walkthrough & Demo 16
- 17. HttpSignature 17 This describes a way for servers and clients to add authentication and message integrity checks to HTTP messages (eg, API calls) by using a digital signature. http://tools.ietf.org/html/draft-cavage-http-signatures-05
- 18. HttpSignature 18 Complements API key or token-based authentication.
- 19. HttpSignature 19 The client sends in a signature header that contains four things: • Keyid – identifying the key used by the client. The meaning is app-dependent. • Algorithm – can be RSA-SHA (public/private key) or HMAC-SHA (shared key) • list of HTTP headers – optional; space delimited; these are included in the signing base • a computed signature of those headers
- 20. HttpSignature 20 Each element is formed as key="value" and they are separated by commas. " This must be passed in an HTTP header named "Signature". The resulting header might look like this: Signature: keyId=”mykey",algorithm="hmac-sha256",headers="(request- target) date",signature="udvCIHZAafyK+szbOI/KkLxeIihexHpHpvMrwbeoErI="
- 21. Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to validate HttpSignature. Sound familiar? 21
- 22. Code + Configure ! 22
- 23. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Verify signatures passed with payload; reject replays and altered messages. • Requires “smart client” that can compute signatures on outbound messages • Relies on secret key or public/private key pair Java Callout for HttpSignature Verification 23 ©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-hmac-httpsignature
- 24. Java Callout for HttpSignature Verification 24 ©2015 Apigee. All Rights Reserved.
- 25. Java Callout for HttpSignature Verification 25 ©2015 Apigee. All Rights Reserved.
- 26. HttpSignature Code walkthrough & Demo 26
- 27. Some comments • Include Nonce and Content-MD5 for full message integrity guarantees • Signatures are more difficult for developers • Provide libraries in JS, Java, .NET, PHP • You need a smart client to produce these • There’s a good HttpSignature library for Node.js – see" https://github.com/DinoChiesa/node-http-signature 27 ©2015 Apigee. All Rights Reserved.
- 28. When to use HMAC, HttpSignature? 28
- 29. • Use these callouts whenever you want to add " HMAC or HttpSignature verification to your proxies • To avoid MITM risks • To layer message-level protection on top of TLS • Scenarios :" Non-repudiation and archival " e.g., medical records release consent " Message-layer integrity" 29 ©2015 Apigee. All Rights Reserved.
- 30. What did we learn? 30 APIs Apps Users ©2015 Apigee. All Rights Reserved. • You need to include HMAC and HttpSignature into your toolbox to secure messages and to protect against MITM attacks • You can use HMAC and HttpSignature in Apigee Edge today via custom policies • No coding needed ! • These policies complement the existing built-in policies in Apigee Edge https://github.com/apigee/iloveapis2015-hmac-httpsignature