OAuth. Network Security. Online Services and Private Data. A real-life example. Material and Credits. OAuth. OAuth



Similar documents
Network Security OAuth

Authorization and Authentication

Implementing 2-Legged OAuth in Javascript (and CloudTest)

Cryptonite. SSO: Single Sign-On Security Overview. Áron SZABÓ. H.A.C.K. Hackerspace Budapest (hsbp.org)

Social Application Guide

E*TRADE Developer Platform. Developer Guide and API Reference. October 24, 2012 API Version: v0

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

From Delphi to the cloud

Fairsail REST API: Guide for Developers

OAuth Web Authorization Protocol Barry Leiba

Axway API Gateway. Version 7.4.1

EHR OAuth 2.0 Security

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

OAuth 2.0. Weina Ma

Lecture Notes for Advanced Web Security 2015

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

USING FEDERATED AUTHENTICATION WITH M-FILES

ADFS Integration Guidelines

Analysis and Implementation of a SSO Solution for Several Web Portal

IBM WebSphere Application Server

Module - Facebook PS Connect

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Force.com REST API Developer's Guide

Configuration Guide - OneDesk to SalesForce Connector

Qlik REST Connector Installation and User Guide

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Programming Autodesk PLM 360 Using REST. Doug Redmond Software Engineer, Autodesk

Egnyte Single Sign-On (SSO) Installation for OneLogin

Copyright: WhosOnLocation Limited

EPB Managed Wi-Fi Creating Social Media Apps with AirTight Guest Manager

AT&T Synaptic Storage as a Service SM Getting Started Guide

Salesforce1 Mobile Security Guide

SAML and OAUTH comparison

Using SAML for Single Sign-On in the SOA Software Platform

Identity Implementation Guide

Login with other services to ASP.NET websites with TMS Cloud Pack for.net

Taylor & Francis Online Mobile FAQs

The increasing popularity of mobile devices is rapidly changing how and where we

Using Foundstone CookieDigger to Analyze Web Session Management

Remote Access End User Reference Guide for SHC Portal Access

HarePoint Workflow Extensions for Office 365. Quick Start Guide

2-FACTOR AUTHENTICATION WITH

Lync for Mac Get Help Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

OPENID AUTHENTICATION SECURITY

How To Use Salesforce Identity Features

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

Follow these easy instructions to list your business on the BEC Australia National Business Directory.

How to pull content from the PMP into Core Publisher

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

Onegini Token server / Web API Platform

Scritto da Administrator Lunedì 02 Gennaio :27 - Ultimo aggiornamento Lunedì 02 Gennaio :52

Salesforce Integration User Guide Version 1.1

A Standards-based Mobile Application IdM Architecture

SYSPRO App Store: Registration Guide

CUSTOMER Android for Work Quick Start Guide

Weston Public Schools Virtual Desktop Access Instructions

Reporting works by connecting reporting tools directly to the database and retrieving stored information from the database.

Livezilla How to Install on Shared Hosting By: Jon Manning

Test Case 3 Active Directory Integration

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

Okta/Dropbox Active Directory Integration Guide

Login with Amazon. Developer Guide for Websites

OAuth: Where are we going?

Marcum LLP MFT Guide

Single Sign-On Implementation Guide

Deltek Touch Time & Expense for GovCon. User Guide for Triumph

Qualtrics Single Sign-On Specification

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Enterprise Access Control Patterns For REST and Web APIs

Secure Authentication and Session. State Management for Web Services

Version 1.0. ASAM CS Single Sign-On

OAuth Guide Release 6.0

QIWI Wallet Pull Payments API

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

Signicat white paper. Signicat Solutions. This document introduces the Signicat solutions for digital identities and electronic signatures

Copyright Pivotal Software Inc, of 10

Absorb Single Sign-On (SSO) V3.0

Web Based Single Sign-On and Access Control

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Using Online Storage Services

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

Single Sign-On Framework in Tizen Contributors: Alexander Kanavin, Jussi Laako, Jaska Uimonen

CONFIGURATION AND SETUP USER GUIDE AND REFERENCE MANUAL

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Mashery OAuth 2.0 Implementation Guide

itds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22

CloudCall for Salesforce- Quick Start Guide. CloudCall for Dynamics CRM Quick Start Guide

Salesforce Opportunities Portlet Documentation v2

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Install and End User Reference Guide for Direct Access to Citrix Applications

The Top 5 Federated Single Sign-On Scenarios

MINING DATA FROM TWITTER. Abhishanga Upadhyay Luis Mao Malavika Goda Krishna

Transcription:

Network Security Dr. Ing. Simone Cirani Parma, May 28th, 2013 Online Services and Private Data The evolution of online services, such as social networks, has had a huge impact on the amount of data and personal information disseminated on the Internet The information owned by online services is made available to third-party applications in the form of public Application Programming Interfaces (APIs), typically using HTTP as transport protocol and relying on the REpresentational State Transfer (REST) architecture Someone else, besides the entity which generates the information and the service that is hosting it, can access this information 2 Parma, May 28th, 2013 Material and Credits http://tools.ietf.org/html/rfc5849 1.0 RFC http://tools.ietf.org/html/rfc6749 2.0 RFC http://oauth.net/ website about 1.0 and 2.0 http://hueniverse.com/oauth/guide/ Guide to 1.0 A real-life example You have subscribed to an online service ( PhotoPrint ) which offers prints of pictures that you have uploaded to Facebook You have setup your privacy settings so that only your friends are allowed to see your pictures PhotoPrint isn t your friend, it is a service... Big problem: how can PhotoPrint access your pictures? 3 Parma, May 28th, 2013 4 Parma, May 28th, 2013

Solution 1 Basic authentication: Give your Facebook username and password to PhotoPrint PhotoPrint will log on to Facebook using your credentials PhotoPrint will navigate your photos and download them in order to be able to print them Ok, I received my photo prints but I am not totally happy... I do not feel safe... Problems with Solution 1 If I give my username and password to PhotoPrint, it can use them to do anything as if it was me, including sending and reading private messages, getting personal information, and so on (Facebook could not recognize who is accessing the service) Never share your username and password with anybody Other problem: if I subscribe to many services and I give my credentials to all of them, when I decide I no longer want one of them, I d need to change username and password and reenter them in all other services. 5 Parma, May 28th, 2013 6 Parma, May 28th, 2013 (Open Authorization) Solution 2 An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. is defined and specified in RFC 5849 2.0 in RFC 6749 http://oauth.net/ allows users to grant limited and controlled access to their personal data stored on some service to third-party applications 7 Parma, May 28th, 2013 Who is using? Service Provider protocol version Dropbox 1.0 Evernote 1.0 Facebook 2.0 draft 12 Flickr 1.0a FourSquare 2.0 GitHub 2.0 Google 2.0 Google App Engine 1.0a Instagram 2.0 LinkedIn 1.0a, 2.0 Microsoft 2.0 MySpace 1.0a PayPal 2.0 Twitter 1.0a, 2.0 8 Yahoo! 1.0a Parma, May 28th, 2013

Solution 2 When using, you will explicitly authorize PhotoPrint to gain access to your Facebook photos only The authorization grant is represented by a so-called access token The access token is a piece of information that identifies the application the user the type of actions that the application can execute When PhotoPrint needs to access your pictures, it will exhibit its access token and Facebook, after verifying it, will let PhotoPrint grab the photos 9 Parma, May 28th, 2013 Authorization Authorization defines what rights and services the end-user is granted once access is allowed Authentication and authorization are usually performed together Information can be retrieved and presented differently to users, depending on their identity Is the requestor authorized to get this information? How should the information be presented? Should the information be presented entirely or partially? 10 Parma, May 28th, 2013 roles defines three roles (or actors) involved in a service authorization scenario Service Provider: a service that is hosting a number of protected user-related resources (Facebook) Service Consumer (or Client): a third-party application that is willing to access protected resources (PhotoPrint) User: an entity who is keeping some protected resources on the Service Provider (You) 11 Parma, May 28th, 2013 credentials There are 3 types of credentials used in the protocol Each credential is associated with a secret; the secret is needed to perform request signing Consumer key (and secret): used to authenticate the consumer Request token (and secret): exchanged for an access token after user s consent Access token (and secret): used in requests that result in accessing protected resources Tokens are pieces of information used instead of username and password 12 Parma, May 28th, 2013

Service Consumer Registration Service Providers must recognize the applications (Service Consumers) that are going to request information Service Consumers are typically required to register themselves to the Service Provider The registration phase returns a consumer key and secret to the Service Consumer The Service Consumer is required to use these information when it interacts with the Service Provider, so that it can be correctly identified Service Consumer Registration Service Consumer 4) Store key and secret (a512...123, 5362...sd4) 1) Registration Request 3) Consumer key and secret (a512...123, 5362...sd4) Service Provider 2) Generate and store key and secret id name key secret 1 PhotoPrint a512...123 5362...sd4............ 13 Parma, May 28th, 2013 14 Parma, May 28th, 2013 Digital Signatures uses digital signatures to verify authenticity and integrity of messages: HMAC-SHA-1 RSA-SHA-1 PLAINTEXT The secret depends on the method used for digital signature. PLAINTEXT and HMAC-SHA-1: the shared secret is a combination of the consumer secret and token secret RSA-SHA-1: the consumer secret serves as a private key The signature includes a nonce to protect against replay attacks; a timestamp is also used to reduce storage (nonces must be used only once) 22 15 Parma, May 28th, 2013 defines a redirection-based mechanism to let users grant privileges to client applications Redirection is performed on top of HTTP requests Problem: how can PhotoPrint retrieve an access token so that it can print some photos? Let s start... 16 Parma, May 28th, 2013

1. The user navigates on the client s website; the website needs access to the user s protected data http://www.photprint.unipr.it PhotoPrint 2. The URL linked by the login button contains the request token. The request token is retrieved by a call to the Service Provider when the page is created; the request is signed using the consumer key and secret so that the SP can recognize who is requesting the RT 1) http://www.photprint.unipr.it PhotoPrint 2) Get a request token 3) Request token and secret 17 Parma, May 28th, 2013 Parma, May 28th, 2013 5. The login page asks the user if he/she consents that client application will access protected data; typically the popup also states the types of actions that the client will perform on user s behalf. 1) http://www.photprint.unipr.it PhotoPrint 2) Get a request token 3) Request token and secret 4) Redirect to login page Parma, May 28th, 2013 20 Parma, May 28th, 2013

2) Get a request token 1) http://www.photprint.unipr.it PhotoPrint 3) Request token and secret 5) Login 6. By logging in, the user explicitly grants privileges to the client application to perform actions on his/her behalf. The login form sends an HTTP POST request to the Service Provider which results in a redirection to the client s login callback URL. The callback URL is used to let the Service Provider exchange the request token contained in the login form for an access token and secret. 4) Redirect to login page 21 Parma, May 28th, 2013 22 Parma, May 28th, 2013 6) Redirect to callback URL (with access token and secret) Using the access token Now the Service Consumer has received an access token and secret and it can use them to perform authenticated requests on behalf of the user 1) http://www.photprint.unipr.it PhotoPrint 2) Get a request token 3) Request token and secret PhotoPrint Authenticated Request (using access token) Service Response 5) Login 4) Redirect to login page 23 Parma, May 28th, 2013 24 Parma, May 28th, 2013

Signing requests An authenticated request includes several protocol parameters. Each parameter name begins with the "oauth_" prefix, and the parameter names and values are case sensitive Required parameters: oauth_consumer_key oauth_token oauth_signature_method oauth_timestamp oauth_nonce oauth_version 25 Parma, May 28th, 2013 Walkthrough taken from http://hueniverse.com/oauth/guide/authentication/ The client would like to access a protected resource located at http://www.photoprint.unipr.it/print with the parameters user=12345 size=medium The client has previously registered with the server and obtained the client identifier abcde and client secret zyxwv. It has executed the workflow and obtained an access token act123 and token secret act456 To sign the request, the client is using the HMAC-SHA1 signature method and generated a nonce string xyzxyz and timestamp 1369735200 26 Parma, May 28th, 2013 The oauth_ parameters are: parameter oauth_consumer_key oauth_token oauth_nonce abcde act123 xyzxyz oauth_timestamp 1369735200 oauth_signature_method oauth_version 1.0 HMAC-SHA-1 value The URL query parameters (user and size) are UTF-8 encoded and then URL encoded All the parameters are then sorted by name, in order to create a univocal string 27 Parma, May 28th, 2013 The sorted parameters are: parameter value oauth_consumer_key abcde oauth_nonce xyzxyz oauth_signature_method HMAC-SHA-1 oauth_timestamp 1369735200 oauth_token act123 oauth_version 1.0 size medium user 12345 28 Parma, May 28th, 2013

The parameters are concatenated into a single string using an encoding denoted as application/x-www-form-urlencoded each key/value pair is transformed into a single string in the following way: key=value all obtained strings are concatenated by adding a & sign between them: key1=value1&key2=value2 In our example, the resulting string is the following: oauth_consumer_key=abcde&oauth_nonce=xyzxyz&oauth_signature_method=hma C- SHA1&oauth_timestamp=1369735200&oauth_token=act123&oauth_version=1.0& size=medium&user=12345 Next the request URL is normalized as scheme://authority:port/path The port is omitted if it is a standard HTTP port (80 or 443) Query parameters are omitted since they have already been included in the previous section Fragments (the part of the URL after the # sign) are excluded In our example, the normalized URL is equal to the service URL: http://www.photoprint.unipr.it/print 29 Parma, May 28th, 2013 30 Parma, May 28th, 2013 The next step is to create the so-called Signature Base String The normalized URL and normalized parameters are URL-encoded ( : becomes %3A, / becomes %2F, = becomes %3D, & becomes %26, and so on). In our case, the URL becomes: http%3a%2f%2fwww.photoprint.unipr.it%2fprint The Signature Base String is obtained by concatenating the uppercase HTTP method (GET, POST,...), the normalized URL, and the normalized parameters with the & sign In our example, the Signature Base String is: GET&http%3A%2F%2Fwww.photoprint.unipr.it%2Fprint&oauth_consumer_key%3Da bcde%26oauth_nonce%3dxyzxyz%26oauth_signature_method%3dhmac- SHA1%26oauth_timestamp%3D1369735200%26oauth_token%3Dact123%26oau th_version%3d1.0%26size%3dmedium%26user%3d12345 31 Parma, May 28th, 2013 The final step is to create the digital signature of the request First, the HMAC key K is computed by concatenating the client secret, the & sign, and the access token secret zyxwv&act456 The signature is calculated as follows: 1. HMAC of the Base Signature String using SHA-1 hash and K 2. transform as string using Base64 encoding 3xkIuqoERka5vNmX4Z25wtAxYdw= In case of RSA-SHA-1, the Base Signature String is signed using the consumer (private) key In case of PLAINTEXT, the signature is the HMAC key K (no Base Signature String) - must use TLS The digital signature is added to the request in the oauth_signature parameter 32 Parma, May 28th, 2013

The final request sent to the Service Provider will be GET /print?user=12345&size=medium HTTP/1.1Host: www.photoprint.unipr.it:80authorization: realm="http://www.photoprint.unipr.it/print", oauth_consumer_key="abcde", oauth_token="act123", oauth_nonce="xyzxyz", oauth_timestamp="1369735200", oauth_signature_method="hmac-sha1", oauth_version="1.0", oauth_signature="3xkiuqoerka5vnmx4z25wtaxydw%3d" Signed Request Verification Upon receiving the request, the Service Provider will verify that the request has been correctly constructed, that the sender who it claims to be, and therefore can decide whether to serve the request or not The verification process performs the same steps as the signing process in order to produce the same Base Signature String and then verify if the key used for signing is the one that was constructed using the consumer secret and access token secret, which means that the sender is verified, and the request was not tampered with during transmission 33 Parma, May 28th, 2013 34 Parma, May 28th, 2013 2-legged and 3-legged Authentication The procedure explained so far is called a 3-legged authentication 3-legged authentication means that there are 3 parties involved in the scenario (Service Consumer, Service Provider, and User) Each leg relates to a party involved in the procedure When only 2 parties are involved, the procedure is called 2-legged authentication the Service Consumer coincides with the User this happens when the consumer key and secret are directly associated with the user s account n-legged authentication involves n parties; this can imply the delegation of the grant by the client to additional clients 2.0 2.0 is the next evolution of the original protocol Focus on client developer simplicity Provides specific authorization flows for web applications desktop applications mobile phones living room devices 35 Parma, May 28th, 2013 36 Parma, May 28th, 2013

Where to go from here? Coding example: we ll create a simple Twitter application which will access personal data A list of libraries for different programming languages is available at http://oauth.net/code/ Client applications: Social Network integration Social data mining and analysis... Service Providers: create your own online service and protect your APIs with as a Service (available thesis projects) 37 Parma, May 28th, 2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information