SlideShare a Scribd company logo

CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz

CloudIDSummit
CloudIDSummit

An Interlude: Token Binding over HTTP

Technology
1 of 24
Download to read offline
An Interlude: Token Binding over HTTP Dirk Balfanz, Google CIS2015
Protecting Bearer Tokens over HTTP ●  Goal: Strengthen credentials like o  Cookies o  OAuth Tokens so only authorized clients can use them ●  Basic mechanism (regardless of app-level protocol): o  Client signs tls_unique to prove possession of private key o  Uses different Token Binding Key per eTLD ●  HTTP Client discloses Token Binding Id to HTTP Server o  via new HTTP Header
Token Binding Header Client example.com TLS GET / HTTP/1.1 Host: example.com Token-Binding: DLF02LDSK3DMS28SA… User-Agent: … ... ALPN: http/1.1_tb_p256 provided_token_binding: { signature(tls_unique), public_keyexample.com }
Example: Binding Cookies ●  Server can then bind tokens to Token Binding ID TLS POST /Login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… … username=bob&pw=password ALPN: http/1.1_tb_p256 Client example.com 200 OK Set-Cookie: SID=sdkhfoeirusakjnf34aslkd … <html>Welcome!</html> { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
Federation Support ●  Problem: Client uses different Token-Binding IDs with RP and IdP; IdP wants to issue bound tokens. ●  RP allows client to reveal RP-associated (public) key to IdP o  client still proves possession of corresponding private key ●  IdP can then bind tokens to RP-associated key ●  We define two mechanisms for RP: o  HTTP response header o  Javascript API
Triggering Referred Binding: HTTP Redirects Client rp.com TLS GET / HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… idp.com TLS 302 Moved Temporarily Location: https://idp.com/rp-login Include-Referer-Token-Binding-Id: true ALPN: http/1.1_tb_p256
Triggering Referred Binding: HTTP Redirects Client rp.com TLS GET / HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… idp.com TLS GET /rp-login HTTP/1.1 Host: idp.com Token-Binding: MDLF02LDSK3DMS28S… Referer: rp.com User-Agent: … 302 Moved Temporarily Location: https://idp.com/rp-login Include-Referer-Token-Binding-Id: true ALPN: http/1.1_tb_p256
Triggering Referred Binding: HTTP Redirects Client rp.com TLS GET / HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… idp.com TLS GET /rp-login HTTP/1.1 Host: idp.com Token-Binding: MDLF02LDSK3DMS28S… Referer: rp.com User-Agent: … 302 Moved Temporarily Location: https://idp.com/ Include-Referer-Token-Binding-Id: true provided_token_binding: { signature(tls_unique), public_keyidp.com } referred_token_binding: { signature(tls_unique), public_keyrp.com } ALPN: http/1.1_tb_p256
Triggering Referred Binding: fetch() ●  RP uses new property of XmlHttpRequest to make client ask IdP for RP-bound token fetch(‘https://idp.com’, { ‘mode’: ‘cors’, ‘credentials’: ‘include’, ‘refererTokenBinding’: ‘include’}) .then(function(json){...}); ●  If property is true, Client includes referred_token_binding in Token-Binding header to IdP
Summary ●  client signs tls_unique ●  client adds signature to HTTP header ●  RP can trigger addition of a second signature ●  this can be used by higher-level federation protocols
Thanks!
Channel-Binding FIDO Assertions
Links and Contact Information The Token Binding Protocol Version 1.0: http://tools.ietf.org/html/draft-popov-token-binding-00 Token Binding over HTTP: http://tools.ietf.org/html/draft-balfanz-https-token-binding-00 On GitHub: https://github.com/TokenBinding/Internet-Drafts Dirk Balfanz balfanz@google.com Vinod Anupam vanupam@google.com Andrei Popov andreipo@microsoft.com
Open Issues ●  XmlHttpRequest vs. fetch() o  which one to extend? ●  Other ways for RP to signal to client o  What other mechanisms do federation protocols use? o  WebSockets? others?
First-Party Binding TLS POST /Login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… … username=bob&pw=password ALPN: http/1.1_tb_p256 Client example.com 200 OK Set-Cookie: SID=sdkhfoeirusakjnf34aslkd … <html>Welcome!</html>
First-Party Binding TLS POST /Login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… … username=bob&pw=password ALPN: http/1.1_tb_p256 Client example.com 200 OK Set-Cookie: SID=sdkhfoeirusakjnf34aslkd … <html>Welcome!</html> { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com
First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com provided_token_binding: { signature(tls_unique), public_keyexample.com } { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com provided_token_binding: { signature(tls_unique), public_keyexample.com } { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com 200 OK … <html>Your inbox:...</html>
Federated Binding TLS GET /rp-login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client idp.com 302 Moved Temporarily Location: https://rp.com/login?tok=hfoeimk... … { user_id: 1234456, name: Bob, tb_id: public_keyrp.com … }
Federated Binding TLS GET /login?tok=hfoeimkp... HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… … ALPN: http/1.1_tb_p256 Client rp.com 200 OK … <html>Welcome!</html> provided_token_binding: { signature(tls_unique), public_keyrp.com } { user_id: 1234456, name: Bob, tb_id: public_keyrp.com … }
Privacy Considerations Clients must ●  use different Token Binding Ids for different eTLDs o  Protects against cross-domain linking of user identities ●  let users manage TB Ids like cookies o  Must obey all user-specified cookie control settings o  Must allow them to be cleared by user at any time ●  not transmit TB Ids in the clear o  They are persistent identifiers automatically presented by clients to identify themselves to servers
Security Considerations Clients must ●  negotiate Enhanced Master Secret Extn o  Protocol uses tls_unique to create Token Binding Ids o  EMS Extension protects against Triple Handshake Attack which §  allows propagation of tls_unique value into other TLS connections §  thus could allow bound tokens to be used over such connections ●  protect Token Binding private keys o  Bound tokens cannot be used by clients without right private keys Clients should use hardware security modules ●  to prevent stealing of private keys

Recommended

Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
Securing Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshSecuring Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshCrismer La Pignola
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSMichael Neale
 

Recommended

Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
Securing Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshSecuring Windows Remote Desktop With Copssh
Securing Windows Remote Desktop With CopsshCrismer La Pignola
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSMichael Neale
 
Internet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMInternet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMWoody Pewitt
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Aws amazon ec2
Aws amazon ec2Aws amazon ec2
Aws amazon ec2Sentinel Solutions Ltd
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSJared Ottley
 
PHP
PHPPHP
PHPkaushil shah
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking MethodsDavid Barroso
 
Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273hussulinux
 
MWLUG 2017 - Elementary!
MWLUG 2017 - Elementary!MWLUG 2017 - Elementary!
MWLUG 2017 - Elementary!Karl-Henry Martinsson
 
Lesson 19 upload your page
Lesson 19 upload your pageLesson 19 upload your page
Lesson 19 upload your pageRawadMahmoud
 
ClusterDesktop how-to use from Android devices
ClusterDesktop how-to use from Android devicesClusterDesktop how-to use from Android devices
ClusterDesktop how-to use from Android devicesEmil Parashkevov
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPagesCsaba Kiss
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web ServiceHiraq Citra M
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying RESTKirsten Hunter
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
 
HTTP
HTTPHTTP
HTTPspacecharge
 
Http request&response
Http request&responseHttp request&response
Http request&responseAswin Krishnamoorthy
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...Howard Greenberg
 

More Related Content

What's hot

Internet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMInternet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMWoody Pewitt
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSJared Ottley
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking MethodsDavid Barroso
 
Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273hussulinux
 
Lesson 19 upload your page
Lesson 19 upload your pageLesson 19 upload your page
Lesson 19 upload your pageRawadMahmoud
 
ClusterDesktop how-to use from Android devices
ClusterDesktop how-to use from Android devicesClusterDesktop how-to use from Android devices
ClusterDesktop how-to use from Android devicesEmil Parashkevov
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPagesCsaba Kiss
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web ServiceHiraq Citra M
 

What's hot (13)

Internet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAMInternet protocalls & WCF/DReAM
Internet protocalls & WCF/DReAM
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
Aws amazon ec2
Aws amazon ec2Aws amazon ec2
Aws amazon ec2
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORS
 
PHP
PHPPHP
PHP
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
 
Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273
 
MWLUG 2017 - Elementary!
MWLUG 2017 - Elementary!MWLUG 2017 - Elementary!
MWLUG 2017 - Elementary!
 
Lesson 19 upload your page
Lesson 19 upload your pageLesson 19 upload your page
Lesson 19 upload your page
 
ClusterDesktop how-to use from Android devices
ClusterDesktop how-to use from Android devicesClusterDesktop how-to use from Android devices
ClusterDesktop how-to use from Android devices
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web Service
 

Similar to CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz

Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...Howard Greenberg
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Navaneethan Naveen
 
TLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingPatrick Meenan
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierNicholas Doiron
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsJeff Fontas
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developersMario Cardinal
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itNils De Moor
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itWoorank
 

Similar to CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz (20)

Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 
HTTP
HTTPHTTP
HTTP
 
Http request&response
Http request&responseHttp request&response
Http request&response
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
 
TLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity Training
 
WWW and HTTP
WWW and HTTPWWW and HTTP
WWW and HTTP
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and Paillier
 
Let's Encrypt
Let's EncryptLet's Encrypt
Let's Encrypt
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know it
 
How HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know itHow HTTP/2 will change the web as we know it
How HTTP/2 will change the web as we know it
 

More from CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz

  • 1. An Interlude: Token Binding over HTTP Dirk Balfanz, Google CIS2015
  • 2. Protecting Bearer Tokens over HTTP ●  Goal: Strengthen credentials like o  Cookies o  OAuth Tokens so only authorized clients can use them ●  Basic mechanism (regardless of app-level protocol): o  Client signs tls_unique to prove possession of private key o  Uses different Token Binding Key per eTLD ●  HTTP Client discloses Token Binding Id to HTTP Server o  via new HTTP Header
  • 3. Token Binding Header Client example.com TLS GET / HTTP/1.1 Host: example.com Token-Binding: DLF02LDSK3DMS28SA… User-Agent: … ... ALPN: http/1.1_tb_p256 provided_token_binding: { signature(tls_unique), public_keyexample.com }
  • 4. Example: Binding Cookies ●  Server can then bind tokens to Token Binding ID TLS POST /Login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… … username=bob&pw=password ALPN: http/1.1_tb_p256 Client example.com 200 OK Set-Cookie: SID=sdkhfoeirusakjnf34aslkd … <html>Welcome!</html> { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
  • 5. Federation Support ●  Problem: Client uses different Token-Binding IDs with RP and IdP; IdP wants to issue bound tokens. ●  RP allows client to reveal RP-associated (public) key to IdP o  client still proves possession of corresponding private key ●  IdP can then bind tokens to RP-associated key ●  We define two mechanisms for RP: o  HTTP response header o  Javascript API
  • 6. Triggering Referred Binding: HTTP Redirects Client rp.com TLS GET / HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… idp.com TLS 302 Moved Temporarily Location: https://idp.com/rp-login Include-Referer-Token-Binding-Id: true ALPN: http/1.1_tb_p256
  • 7. Triggering Referred Binding: HTTP Redirects Client rp.com TLS GET / HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… idp.com TLS GET /rp-login HTTP/1.1 Host: idp.com Token-Binding: MDLF02LDSK3DMS28S… Referer: rp.com User-Agent: … 302 Moved Temporarily Location: https://idp.com/rp-login Include-Referer-Token-Binding-Id: true ALPN: http/1.1_tb_p256
  • 8. Triggering Referred Binding: HTTP Redirects Client rp.com TLS GET / HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… idp.com TLS GET /rp-login HTTP/1.1 Host: idp.com Token-Binding: MDLF02LDSK3DMS28S… Referer: rp.com User-Agent: … 302 Moved Temporarily Location: https://idp.com/ Include-Referer-Token-Binding-Id: true provided_token_binding: { signature(tls_unique), public_keyidp.com } referred_token_binding: { signature(tls_unique), public_keyrp.com } ALPN: http/1.1_tb_p256
  • 9. Triggering Referred Binding: fetch() ●  RP uses new property of XmlHttpRequest to make client ask IdP for RP-bound token fetch(‘https://idp.com’, { ‘mode’: ‘cors’, ‘credentials’: ‘include’, ‘refererTokenBinding’: ‘include’}) .then(function(json){...}); ●  If property is true, Client includes referred_token_binding in Token-Binding header to IdP
  • 10. Summary ●  client signs tls_unique ●  client adds signature to HTTP header ●  RP can trigger addition of a second signature ●  this can be used by higher-level federation protocols
  • 13. Links and Contact Information The Token Binding Protocol Version 1.0: http://tools.ietf.org/html/draft-popov-token-binding-00 Token Binding over HTTP: http://tools.ietf.org/html/draft-balfanz-https-token-binding-00 On GitHub: https://github.com/TokenBinding/Internet-Drafts Dirk Balfanz balfanz@google.com Vinod Anupam vanupam@google.com Andrei Popov andreipo@microsoft.com
  • 14. Open Issues ●  XmlHttpRequest vs. fetch() o  which one to extend? ●  Other ways for RP to signal to client o  What other mechanisms do federation protocols use? o  WebSockets? others?
  • 15. First-Party Binding TLS POST /Login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… … username=bob&pw=password ALPN: http/1.1_tb_p256 Client example.com 200 OK Set-Cookie: SID=sdkhfoeirusakjnf34aslkd … <html>Welcome!</html>
  • 16. First-Party Binding TLS POST /Login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… … username=bob&pw=password ALPN: http/1.1_tb_p256 Client example.com 200 OK Set-Cookie: SID=sdkhfoeirusakjnf34aslkd … <html>Welcome!</html> { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
  • 17. First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com
  • 18. First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com provided_token_binding: { signature(tls_unique), public_keyexample.com } { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
  • 19. First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com provided_token_binding: { signature(tls_unique), public_keyexample.com } { user_id: 1234456, last_login: 9348230984, tb_id: public_keyexample.com … }
  • 20. First-Party Binding TLS GET /Inbox.html HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client example.com 200 OK … <html>Your inbox:...</html>
  • 21. Federated Binding TLS GET /rp-login HTTP/1.1 Token-Binding: DLF02LDSK3DMS28SA… Cookie: SID=sdkhfoeirusakjnf34aslkd … ALPN: http/1.1_tb_p256 Client idp.com 302 Moved Temporarily Location: https://rp.com/login?tok=hfoeimk... … { user_id: 1234456, name: Bob, tb_id: public_keyrp.com … }
  • 22. Federated Binding TLS GET /login?tok=hfoeimkp... HTTP/1.1 Token-Binding: QWR26DLF02LDSK3DM… … ALPN: http/1.1_tb_p256 Client rp.com 200 OK … <html>Welcome!</html> provided_token_binding: { signature(tls_unique), public_keyrp.com } { user_id: 1234456, name: Bob, tb_id: public_keyrp.com … }
  • 23. Privacy Considerations Clients must ●  use different Token Binding Ids for different eTLDs o  Protects against cross-domain linking of user identities ●  let users manage TB Ids like cookies o  Must obey all user-specified cookie control settings o  Must allow them to be cleared by user at any time ●  not transmit TB Ids in the clear o  They are persistent identifiers automatically presented by clients to identify themselves to servers
  • 24. Security Considerations Clients must ●  negotiate Enhanced Master Secret Extn o  Protocol uses tls_unique to create Token Binding Ids o  EMS Extension protects against Triple Handshake Attack which §  allows propagation of tls_unique value into other TLS connections §  thus could allow bound tokens to be used over such connections ●  protect Token Binding private keys o  Bound tokens cannot be used by clients without right private keys Clients should use hardware security modules ●  to prevent stealing of private keys