SlideShare a Scribd company logo

ietf oauth proof-of-possession.ppt sdfsdfs

Download as PPT, PDF
D
DucAnhLe56

This document discusses the IETF's work on Proof-of-Possession (PoP) for OAuth tokens. It provides an overview of the PoP architecture and key variants involving key distribution at access token issuance or client registration. It also describes building blocks for PoP like message integrity and channel binding. Open issues include authentication of the server to the client and handling intermediaries when clients interact with resource servers.

Environment
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1 IETF OAuth Proof-of-Possession Hannes Tschofenig
2 Status  Finished various specifications, including  OAuth Core: RFC 6749  Bearer Tokens: RFC 6750  Security Threats: RFC 6819  Discussion about an enhancement to Bearer Token security (now called “Proof-of-Possession”) since the early days of the working group.  Design Team work late 2012/early 2013, which lead to requirements, use cases, and solution strawman proposals.  Work on solution documents lead to new work items.
3 I Client Authorization Server Resource Server II III Architecture Relevant document: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
4 I Client Authorization Server Resource Server II III Variants: • Key Distribution at Access Token Issuance • Key Distribution at Client Registration AS <-> Client Interaction Relevant specifications: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
5 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key Request access token. I support PoP tokens
6 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS creates PoP-enabled access token
7 PoP Token: Symmetric Key Example { "alg":"RSA1_5", "enc":"A128CBC-HS256", "cty":"jwk+json" } { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf":{ "jwk": "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJB MTI4Q0JDLUhTMjU2IiwiY3R5IjoiandrK ... (remainder of JWE omitted for brevity)" } } { "kty":"oct", "alg":"HS256", "k":"ZoRSOrFzN_FzUA5XKM YoVHyzff5oRJxl-IXRtztJ6uE" } Binds a symmetric key to the access token
8 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & symmetric key
9 AS <-> Client Interaction  AS needs to bind a key to the access token.  Key can be an fresh and unique symmetric key, or  (ephemeral) public key  This requires two extensions:  New elements within the JWT to include the (encrypted symmetric key) or the public key. JWT is also integrity protected.  Mechanism for conveying ephemeral key from AS to client and for client to provide directives to AS.  Details in draft-ietf-oauth-pop-key-distribution  Transport symmetric key from AS to client.  Transport (ephemeral) asymmetric key from AS to client.  Transport public key from client to AS.  Algorithm indication
10 Dynamic Client Registration  Attempt to simplify developer interaction with AS when they deploy client applications.  Today, developers need to register various parameters (manually), such as  Authentication mechanism & client authentication credentials  Redirect URIs  Grant types  Meta data (client name, client logo, scopes, contact information, etc.)  Also allows meta-data, including public keys, to be uploaded to AS.  Two documents:  draft-ietf-oauth-dyn-reg  draft-ietf-oauth-dyn-reg-metadata  WGLC in progress.
11 I Client Authorization Server Resource Server II III Building Blocks: a) Proof of possession of PoP key b) Message integrity (+ Channel Binding) c) RS-to-client authentication Client <-> RS Interaction Relevant specification : http://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
12 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & Authenticator Authenticator = Keyed Message Digest Computed Over Request.
13 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key RS “unwraps” access token and obtains symmetric key. RS verifies authenticator. Shared Long Term Key
14 Channel Binding Channel bindings bind the application layer security to the underlying channel security mechanism. Various approaches for providing channel bindings:  PoP public key use in TLS (as described in HOTK draft)  tls-unique: TLS Finish message  tls-server-end-point: hash of the TLS server's certificate:  Currently, no channel bindings described in <draft-ietf-oauth- signed-http-request>  Be aware: New attacks have been identified with TLS-based channel bindings, see http://www.ietf.org/proceedings/89/slides/slides-89-tls-3.pdf
15 ` I Client Authorization Server Resource Server II III Variants: a) Token introspection b) Out-of-band RS <-> AS Interaction [optional] Relevant specification: http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
16 Next Steps Reviews for the document bundle needed. Open Issues will be added to the WG tracker. Main issues with the client<->resource server communication. Challenges:  Dealing with intermediaries modifying headers  Offering flexibility to developer  Reducing payload replicating  Minimizing canonicalization  Authentication of the server to the client  Channel binding functionality

More Related Content

PPTX
Access control iot_mqtt_ace
Cigdem Sengul
 
PDF
Secure JAX-RS
Rudy De Busscher
 
PDF
New Security Mechanisms for Network Time Synchronization Protocols
Internet Technology Matters (Internet Society)
 
PPTX
The Burden of Proof
Brian Campbell
 
PPTX
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
PPTX
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Nat Sakimura
 
PDF
Secure JAX-RS
Payara
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Access control iot_mqtt_ace
Cigdem Sengul
 
Secure JAX-RS
Rudy De Busscher
 
New Security Mechanisms for Network Time Synchronization Protocols
Internet Technology Matters (Internet Society)
 
The Burden of Proof
Brian Campbell
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Nat Sakimura
 
Secure JAX-RS
Payara
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 

Similar to ietf oauth proof-of-possession.ppt sdfsdfs (20)

PDF
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
PPTX
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Securing MQTT - BuildingIoT 2016 slides
Dominik Obermaier
 
PDF
RFC6749 et alia 20130504
Mattias Jidhage
 
PDF
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
PPT
Oauth tutorial
乐费 胡
 
PDF
OAuth in the Real World featuring Webshell
CA API Management
 
PDF
Understanding Wireguard, TLS and Workload Identity
Christian Posta
 
PDF
OAuth2 on Ericsson Labs
Ericsson Labs
 
PPTX
Dealing with pervasive monitoring - Networkshop44
Jisc
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PPTX
OAuth Well Played – Mods and Combos for the Cloud Native API Security Game - ...
Nordic APIs
 
PPTX
Json Web Token - JWT
Prashant Walke
 
PDF
Draft Ietf Oauth V2 12
Vishal Shah
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PPT
Presentation To Vo Ip Round Table V2
Warren Bent
 
PPT
Authenticated Identites in VoIP Call Control
Warren Bent
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
Are You Properly Using JWTs?
42Crunch
 
PDF
2016 pycontw web api authentication
Micron Technology
 
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
Hitachi, Ltd. OSS Solution Center.
 
Securing MQTT - BuildingIoT 2016 slides
Dominik Obermaier
 
RFC6749 et alia 20130504
Mattias Jidhage
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
Oauth tutorial
乐费 胡
 
OAuth in the Real World featuring Webshell
CA API Management
 
Understanding Wireguard, TLS and Workload Identity
Christian Posta
 
OAuth2 on Ericsson Labs
Ericsson Labs
 
Dealing with pervasive monitoring - Networkshop44
Jisc
 
Securing Web Applications with Token Authentication
Stormpath
 
OAuth Well Played – Mods and Combos for the Cloud Native API Security Game - ...
Nordic APIs
 
Json Web Token - JWT
Prashant Walke
 
Draft Ietf Oauth V2 12
Vishal Shah
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Presentation To Vo Ip Round Table V2
Warren Bent
 
Authenticated Identites in VoIP Call Control
Warren Bent
 
Demystifying OAuth 2.0
Karl McGuinness
 
Are You Properly Using JWTs?
42Crunch
 
2016 pycontw web api authentication
Micron Technology
 
Ad

More from DucAnhLe56 (7)

PPTX
IC-Project-Status-Report-107761232_PowerPoint.pptx
DucAnhLe56
 
DOCX
IC-1RACI-Software-Matrix-11490_WORD.docx
DucAnhLe56
 
PPTX
sewewew we wer werwe rwe rwer wer wer wer
DucAnhLe56
 
PPTX
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
DucAnhLe56
 
PDF
phong cach lanh dao trong thuc te doanh nghiep vn
DucAnhLe56
 
PDF
ma-ansible-automatio sdf sdf sdfsdfsfdssdfsf
DucAnhLe56
 
PPT
PSO_Project_Closeout.ppt
DucAnhLe56
 
IC-Project-Status-Report-107761232_PowerPoint.pptx
DucAnhLe56
 
IC-1RACI-Software-Matrix-11490_WORD.docx
DucAnhLe56
 
sewewew we wer werwe rwe rwer wer wer wer
DucAnhLe56
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
DucAnhLe56
 
phong cach lanh dao trong thuc te doanh nghiep vn
DucAnhLe56
 
ma-ansible-automatio sdf sdf sdfsdfsfdssdfsf
DucAnhLe56
 
PSO_Project_Closeout.ppt
DucAnhLe56
 
Ad

Recently uploaded (20)

PDF
FMM Slides For OSH Management Requirement
ssuserf062ce
 
PPTX
Envrironmental Ethics: issues and possible solution
avsareankita
 
PPTX
Green Modern Sustainable Living Nature Presentation_20250226_230231_0000.pptx
seemasawant76
 
PDF
Effects of rice-husk biochar and aluminum sulfate application on rice grain q...
Open Access Research Paper
 
PDF
Global Natural Disasters in H1 2025 by Beinsure
Beinsure Media
 
PDF
The Role of Non-Legal Advocates in Fighting Social Injustice.pdf
Cheyanne Mallas
 
PPTX
Biodiversity of nature in environmental studies.pptx
saurabh yadav
 
PPTX
NSTP1 NSTP1NSTP1NSTP1NSTP1NSTP1NSTP1NSTP
waazzii000
 
PPT
Compliance Monitoring report CMR presentation.ppt
LouieDelaCruz17
 
DOCX
Epoxy Coated Steel Bolted Tanks for Beverage Wastewater Storage Manages Liqui...
AllenLin596164
 
PPTX
Plant_Cell_Presentation.pptx.com learning purpose
itharshsahu611
 
DOCX
Epoxy Coated Steel Bolted Tanks for Farm Digesters Supports On-Farm Organic W...
AllenLin596164
 
DOCX
Epoxy Coated Steel Bolted Tanks for Anaerobic Digestion (AD) Plants Core Comp...
AllenLin596164
 
PDF
Tree Biomechanics, a concise presentation
ssaur
 
PPTX
Corporate Social Responsibility & Governance
mhelr0se
 
PPTX
Office Hours on Drivers of Tree Cover Loss
Global Forest Watch
 
PPTX
Disposal Of Wastes.pptx according to community medicine
naturopathsamicshaa
 
DOCX
Epoxy Coated Steel Bolted Tanks for Dairy Farm Water Ensures Clean Water for ...
AllenLin596164
 
DOCX
Epoxy Coated Steel Bolted Tanks for Agricultural Waste Biogas Digesters Turns...
AllenLin596164
 
PPT
PPTPresentation3 jhsvdasvdjhavsdhsvjcksjbc.jasb..ppt
ssuserf5773f
 
FMM Slides For OSH Management Requirement
ssuserf062ce
 
Envrironmental Ethics: issues and possible solution
avsareankita
 
Green Modern Sustainable Living Nature Presentation_20250226_230231_0000.pptx
seemasawant76
 
Effects of rice-husk biochar and aluminum sulfate application on rice grain q...
Open Access Research Paper
 
Global Natural Disasters in H1 2025 by Beinsure
Beinsure Media
 
The Role of Non-Legal Advocates in Fighting Social Injustice.pdf
Cheyanne Mallas
 
Biodiversity of nature in environmental studies.pptx
saurabh yadav
 
NSTP1 NSTP1NSTP1NSTP1NSTP1NSTP1NSTP1NSTP
waazzii000
 
Compliance Monitoring report CMR presentation.ppt
LouieDelaCruz17
 
Epoxy Coated Steel Bolted Tanks for Beverage Wastewater Storage Manages Liqui...
AllenLin596164
 
Plant_Cell_Presentation.pptx.com learning purpose
itharshsahu611
 
Epoxy Coated Steel Bolted Tanks for Farm Digesters Supports On-Farm Organic W...
AllenLin596164
 
Epoxy Coated Steel Bolted Tanks for Anaerobic Digestion (AD) Plants Core Comp...
AllenLin596164
 
Tree Biomechanics, a concise presentation
ssaur
 
Corporate Social Responsibility & Governance
mhelr0se
 
Office Hours on Drivers of Tree Cover Loss
Global Forest Watch
 
Disposal Of Wastes.pptx according to community medicine
naturopathsamicshaa
 
Epoxy Coated Steel Bolted Tanks for Dairy Farm Water Ensures Clean Water for ...
AllenLin596164
 
Epoxy Coated Steel Bolted Tanks for Agricultural Waste Biogas Digesters Turns...
AllenLin596164
 
PPTPresentation3 jhsvdasvdjhavsdhsvjcksjbc.jasb..ppt
ssuserf5773f
 

ietf oauth proof-of-possession.ppt sdfsdfs

  • 2. 2 Status  Finished various specifications, including  OAuth Core: RFC 6749  Bearer Tokens: RFC 6750  Security Threats: RFC 6819  Discussion about an enhancement to Bearer Token security (now called “Proof-of-Possession”) since the early days of the working group.  Design Team work late 2012/early 2013, which lead to requirements, use cases, and solution strawman proposals.  Work on solution documents lead to new work items.
  • 4. 4 I Client Authorization Server Resource Server II III Variants: • Key Distribution at Access Token Issuance • Key Distribution at Client Registration AS <-> Client Interaction Relevant specifications: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
  • 5. 5 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key Request access token. I support PoP tokens
  • 6. 6 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS creates PoP-enabled access token
  • 7. 7 PoP Token: Symmetric Key Example { "alg":"RSA1_5", "enc":"A128CBC-HS256", "cty":"jwk+json" } { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf":{ "jwk": "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJB MTI4Q0JDLUhTMjU2IiwiY3R5IjoiandrK ... (remainder of JWE omitted for brevity)" } } { "kty":"oct", "alg":"HS256", "k":"ZoRSOrFzN_FzUA5XKM YoVHyzff5oRJxl-IXRtztJ6uE" } Binds a symmetric key to the access token
  • 8. 8 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & symmetric key
  • 9. 9 AS <-> Client Interaction  AS needs to bind a key to the access token.  Key can be an fresh and unique symmetric key, or  (ephemeral) public key  This requires two extensions:  New elements within the JWT to include the (encrypted symmetric key) or the public key. JWT is also integrity protected.  Mechanism for conveying ephemeral key from AS to client and for client to provide directives to AS.  Details in draft-ietf-oauth-pop-key-distribution  Transport symmetric key from AS to client.  Transport (ephemeral) asymmetric key from AS to client.  Transport public key from client to AS.  Algorithm indication
  • 10. 10 Dynamic Client Registration  Attempt to simplify developer interaction with AS when they deploy client applications.  Today, developers need to register various parameters (manually), such as  Authentication mechanism & client authentication credentials  Redirect URIs  Grant types  Meta data (client name, client logo, scopes, contact information, etc.)  Also allows meta-data, including public keys, to be uploaded to AS.  Two documents:  draft-ietf-oauth-dyn-reg  draft-ietf-oauth-dyn-reg-metadata  WGLC in progress.
  • 11. 11 I Client Authorization Server Resource Server II III Building Blocks: a) Proof of possession of PoP key b) Message integrity (+ Channel Binding) c) RS-to-client authentication Client <-> RS Interaction Relevant specification : http://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
  • 12. 12 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & Authenticator Authenticator = Keyed Message Digest Computed Over Request.
  • 13. 13 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key RS “unwraps” access token and obtains symmetric key. RS verifies authenticator. Shared Long Term Key
  • 14. 14 Channel Binding Channel bindings bind the application layer security to the underlying channel security mechanism. Various approaches for providing channel bindings:  PoP public key use in TLS (as described in HOTK draft)  tls-unique: TLS Finish message  tls-server-end-point: hash of the TLS server's certificate:  Currently, no channel bindings described in <draft-ietf-oauth- signed-http-request>  Be aware: New attacks have been identified with TLS-based channel bindings, see http://www.ietf.org/proceedings/89/slides/slides-89-tls-3.pdf
  • 15. 15 ` I Client Authorization Server Resource Server II III Variants: a) Token introspection b) Out-of-band RS <-> AS Interaction [optional] Relevant specification: http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
  • 16. 16 Next Steps Reviews for the document bundle needed. Open Issues will be added to the WG tracker. Main issues with the client<->resource server communication. Challenges:  Dealing with intermediaries modifying headers  Offering flexibility to developer  Reducing payload replicating  Minimizing canonicalization  Authentication of the server to the client  Channel binding functionality