Implimenting Privacy: OAuth and Token Madness
Upcoming SlideShare
Loading in...5
×
 

Implimenting Privacy: OAuth and Token Madness

on

  • 10,498 views

Ever cringe when you're asked to enter your email address and password to a third party service? This talk will cover how to build and consume services which protect users privacy with OAuth and other ...

Ever cringe when you're asked to enter your email address and password to a third party service? This talk will cover how to build and consume services which protect users privacy with OAuth and other techniques.

Ever cringe when you’re asked to enter your email address and password to a third party service? Even worse when we build systems which collect people’s credentials. It’s the password anti-pattern.

Privacy and security are important, but when it comes to real running apps, it works wins over it’s secure.
This has two main themes.

* How to use tokens and other tricks to protect the privacy of your users.
* While examples will be from a ruby on rails application, this talk is more on general web development practices for privacy.

There is no totally secure or private system out there, especially when we build social web applications. But there are many things which can be done to improve privacy. For each application you have to look at what the threat model is for leaking personal information. Everything from how your user passwords are stored to what happens if a hacker gets a full dump of your database.

* What happens when a user’s email is compromised by a third party service?
* How to provide simple sharing with casual privacy.
* What is ‘good enough’ crypto.
* Understanding the difference between Authorization and Authentication.

This talk is based on experience designing and architecting Yahoo! Fire Eagle, a location sharing service which was the first implementation of both OAuth and Ruby on Rails at yahoo.

Statistics

Views

Total Views
10,498
Views on SlideShare
10,448
Embed Views
50

Actions

Likes
25
Downloads
743
Comments
0

5 Embeds 50

http://www.slideshare.net 39
http://moonrank.blogspot.com 5
http://www.linkedin.com 4
http://moonrank.blogspot.fr 1
https://blackboard.strayer.edu 1

Accessibility

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Privacy. It’s a tricky idea. It’s really to try and protect the interests and information of our users. As they want.
  • Or sometimes what we do is provide the perception of privacy. This is what a privacy policy is, Nobody reads it, so what it really does is provide the perception that there is privacy.
  • Many users don’t want to appear in public at all, or they want to be able to delete their users and associated information. Perhaps they don’t want everybody to know they’re in the furries flickr group.
  • Some people value privacy over all else. They might wear a burka or use tor.
  • People use the internet for many things. What ever application you’re building, could unwittingly become a space for free speech. What happens if the government asks for your database? What if it’s legal in your country, but illegal in another?
  • For example, it’s illegal to insult or mock the Pope in Italy. If you can publish photos on your website, then the Italian government could demand to know the identity of the poster. If they posted this image from italy they’d be committing a crime.
  • Another example, in Argentina, their national hero is Diego Maradona a soccer star. It’s illegal to publish real or photoshoped porn with Maradona in it. Protected speech in one country is illegal speech in others.
  • Here in the US for example there’s a great tradition of free speech with some rather odd limitations. For example you can’t say, i want to shoot the president....
  • Unless you’re talking about somebody else’s president. No problem wanting to kill the cuban or iranian president.
  • Show a picture of the mouse. The most common example of free speech limits in the US are mostly commercial limits.
  • Beyond problems with corporations and governments, you’ve got the hacker problem. They really want to get at our users and systems. In all of our work we’ve got to think about what kinds of attacks we might face in production.
  • Right now we use email as the primary way of logging in to systems. It’s the core of the identity system online right now.
  • The majority of people use a single email account for everything. The protection of this email is very important.
  • When somebody has access to your email, they’ve got access to everything.
  • With email accounts we can reclaim passwords for online banking systems. <br /> With this access we can eventually take money out of a users bank accounts. A users email account is the real key to paypal and online banking.
  • One of the reasons there are so many problems with spam, and phishing sites is that hackers really want to get at users email accounts.
  • We use email for all of our internal documents which used to be on a desktop. Now they are in the cloud, and email is guarding them.
  • So with email being so important, so essential to a user&#x2019;s life online, to their bank accounts and internal company documents. <br /> WHY do we build things like this. We teach users to share their passwords!
  • Fail, really, we as web developers, as a community, are failing out users.
  • But there is salvation, a way out. We don&#x2019;t have to persist with this nightmare.
  • In reality, there are a ton of authorization systems which don&#x2019;t use email addresses and passwords.
  • Each one does more or less the same thing in slightly different ways.
  • What are these token things we talk about? There&#x2019;re little things we use to represent access, kind of like a subway token.
  • Well kind of like coins, but each token is unique
  • More like symbols, which can be used to represent something without it being the thing.
  • The trick with all the delegated token authorization systems is that they DON&#x2019;T pass the password with teach request. They use a token, and a secret. The secret is used in the signature but not passed over the wire.
  • It&#x2019;s more this kind of signature. Crypto. HMAC or RSA SHA1.
  • So what does this look like, well we use the token and the hash key secret.
  • We use the combination of the token and then the secret as the has key to sign the token, well not just the token, but the whole request.
  • Then that signature is created as a param which can be passed in the requests.
  • So you end up something like this. The token, and the signature is passed over the wire. The secret is kept on both ends to verify the signature.
  • So this delegated token authorization. There are 20 different types. Each one is sufficiently different that you have to build up the libraries from scratch. Each auth system needs a library in every language.
  • There is now one delegated token auth system to rule them all. Based on all the best practices of the past.
  • The original idea of OAuth would be that it&#x2019;s super simple, clear, everybody could read the standard and understand. It was nice and clear. Little by little in the standards process the standards people from IETF and W3C got involved. Now the spec is full of diagrams like this!
  • All this is to say that OAuth is like a love triangle. That is to say that the relationship between he provider, end user, and consumer is a love triangle. Each part communicates with both of the other parts.
  • Normally oauth has three legs, the user, the provider, and the consumer. But it&#x2019;s possible to use oauth to remove the user from the equation. Creating 2 legged oauth.
  • In 2 legged oauth there is the same libraries and toke signing between the consumer and the provider. Yahoo for example uses this model to control access to web services which are accessed on application&#x2019;s own behalf. There doesn&#x2019;t have to be a user. OAuth&#x2019;s standardized signing / anti replay attacks are useful for many APIS.
  • Great, but what&#x2019;s it like for the user? Very simple. Here we&#x2019;re going to walk through a MovableType client application getting the user to authorize Fire Eagle to share the user&#x2019;s location.
  • So when we click the connect link, we&#x2019;re taking to fire eagle, which asks us to login.
  • Then once we&#x2019;re logged in we get a confirmation page.
  • The request is made with a provisional request token, which tells us among other things what application is being authorized. The user then can see that application that they are going to authorize.
  • It&#x2019;s possible at this stage for the provider to ask for preferences to constrain the permissions of the application. For example, can publish but not delete. This is very important because it&#x2019;s something you couldn&#x2019;t do if you handed over the user name and password to the client application. It&#x2019;d be full control or nothing.
  • And after preferences, the user can choose to approve or deny the authorization of the application to their protected resources.
  • After a user hits confirm, they&#x2019;re redirected back to the consumer based on the callback url assigned, and as far as the user is concerned the association is setup.
  • For the user the whole process is 4 clicks. Behind these simple 4 clicks is a token dance between the consumer, provider, and end user.
  • the application asks for a request token
  • the application asks for a request token <br /> la aplicaci&#xF3;n inicia el <br /> intercambio del <br /> request token
  • the application asks for a request token <br /> la aplicaci&#xF3;n inicia el <br /> intercambio del <br /> request token
  • the application asks for a request token <br /> la aplicaci&#xF3;n inicia el <br /> intercambio del <br /> request token
  • the application asks for a request token <br /> la aplicaci&#xF3;n inicia el <br /> intercambio del <br /> request token
  • the application asks for a request token <br /> la aplicaci&#xF3;n inicia el <br /> intercambio del <br /> request token
  • the application asks for a request token <br /> la aplicaci&#xF3;n inicia el <br /> intercambio del <br /> request token
  • the application asks for a request token
  • That was the token dance for web applications. There is a similar but slightly different process for desktop and out of band applications like browserless mobile phones and embedded systems like an arduino.
  • All of the oauth params start with the oauth_* prefix.
  • As we saw before, there are keys (tokens) and secrets. The consumer application or library itself has a token secret part, in addition to a user&#x2019;s access token and secret. The key is passed with each request, and the consumer secret is used for signing every request.
  • The tokens are just random strings which should be unique.
  • Then we require that each request have a timestamp and nonce. The timestamp is an integer which needs to increment. The nonce is a unique number/string which can&#x2019;t be reused with the same timestamp. The combination of these, and the signing prevents replay attacks.
  • The last couple define the signing method, this could be public key, but usually it&#x2019;s HMAC-SHA1. Then the version of oauth, which despite the current standard being 1.0a the standard says you should still say 1.0. Then the actual signature of the request.
  • OAuth signing and authorization can go over
  • Hay mucho formas de hacer una request de OAuth.
  • Hay mucho formas de hacer una request de OAuth.
  • Hay mucho formas de hacer una request de OAuth.
  • tambi&#xE9;n puede poner todo los params en el HTTP POST.
  • por que tenemos liberias para hacer todo los detalles en todo los lenguajes. El primero implementaci&#xF3;n de OAuth fue en Ruby para aplicaciones de rails. Ahora todo los plataformas tiene apoyo para OAuth.
  • por que tenemos liberias para hacer todo los detalles en todo los lenguajes. El primero implementaci&#xF3;n de OAuth fue en Ruby para aplicaciones de rails. Ahora todo los plataformas tiene apoyo para OAuth.
  • En nuestra caso, tenemos un muy buen gems para OAuth.
  • So you simply add the plugin to your rails app.
  • It adds a ton of files to your system to handle all the oauth process. You&#x2019;re going to want to customize the templates.
  • Add the routes to make all the oauth requests make sense. These urls are set, there is a discovery process by which you can use alternate oauth urls but it&#x2019;s best if you can to just keep them standard.
  • The last thing you need to do is add before filters requiring authorization for the the actions and resources you need to protect.
  • In terms of OAuth, that&#x2019;s it. It&#x2019;s simple to create a basic provider and consumer.
  • So that&#x2019;s enough to get over to using oauth in your apis. Getting to oauth is important, but it&#x2019;s not the end of building systems which respect privacy.
  • Remember how i was talking about the nonce and timestamp? Well Nonce in British slang is a pedophile, but it&#x2019;s got another meaning. It&#x2019;s a one time number. The OAuth spec says you have to provide a nonce and timestamp, but they don&#x2019;t require that you check them.
  • what you want to do is make sure that the timestamp always the same or higher by some amount, and that the nonce for that timestamp & consumer hasn&#x2019;t been used before. You don&#x2019;t have to store all past nonces.
  • Don&#x2019;t even store your auth credentials in the same databases as you&#x2019;re using for the rest of your application. Use metal, or a proxy to authorize the requests, then pass that through to your apis. This is kind of similar to what google and yahoo do where the authentication and authorization systems are divided off from the production application itself.
  • While it&#x2019;s recommended to use HMAC-SHA1, it&#x2019;s possible to use other forms of signing. Google for example uses RSA public / private keys for it&#x2019;s oauth. If a provider passes everything over ssl it&#x2019;s possible to use the unsigned PLAINTEXT signing method. :)
  • Sometimes you need the data for a single use. Don&#x2019;t do a login at at all, just store the keys in the cookie, once the user leaves and the tokens disappear.
  • One thing you can do is use the authorization and tokens to make a wall between your user profiles and their associated data. That way you can only get foreign key when a user or authorized application is actively using the service. Wesabe and Fire Eagle both use this style system.

Implimenting Privacy: OAuth and Token Madness Implimenting Privacy: OAuth and Token Madness Presentation Transcript

  • Implementing Privacy OAuth & Token Madness evan@protest.net
  • Privacy
  • Perception of Privacy
  • The Privacy to Disappear
  • Extreme Privacy
  • Privacy and the State
  • Privacy and the Law
  • Can you say? source: http://www.crestpublishing.co.za/killthepresident.html
  • Kill the Cuban president? source: http://flic.kr/p/RfwD
  • Speech as Property
  • Privacy & Hackers
  • Email & Logins
  • One email per person
  • Email for Everything
  • We use email for everything!
  • Hackers want your email
  • The Twitter Files
  • Dear God Why?!?!
  • Fail
  • Salvation?
  • Delegated Token Authorization
  • Delegated Token Authorization FlickrAuth, Google AuthSub, Yahoo’s BBAuth, Facebook Auth, Amazon AWS, AOL OpenAuth, etc...
  • Tokens
  • Like Coins?
  • Symbols
  • username password token secret
  • timoreilly password token secret
  • timoreilly alphag33ks token secreto
  • timoreilly alphag33ks SLx39nv4 secreto
  • timoreilly alphag33ks SLx39nv4 L9vQlviq2x
  • Cryptographic Signatures
  • Cryptographic Signatures consumer = Auth::Consumer.new( 'dpf43f3p2l4k3l03', 'kd94hf93k423kf44' ) token = Auth::Token.new( 'nnch734d00sl2jdk', 'pfkkdhi9sl3r4s00' ) signature = Auth::Signature.sign(request, { :consumer => consumer, :token => token, :uri => 'http://photos.example.net/photos' } ) assert_equal 'tR3+Ty81lMeYAr/Fid0kMTYa/WM=', signature
  • Cryptographic WHAT? TOKEN HASH KEY SECRET
  • Cryptographic WHAT? TOKEN HASH KEY SECRET signature
  • Cryptographic WHAT? TOKEN HASH KEY SECRET signature
  • Cryptographic WHAT? TOKEN HASH KEY SECRET signature sig=aslkdjfalskd
  • Cryptographic WHAT? TOKEN HASH KEY SECRET signature token=vkzljxc&sig=aslkdjfalskd
  • Delegated Token Authorization FlickrAuth, Google AuthSub, Yahoo’s BBAuth, Facebook Auth, Amazon AWS, AOL OpenAuth, etc...
  • Authentication Authorization
  • Authentication Authorization OpenID OAuth
  • Authentication Authorization OpenID OAuth Users Applications
  • Very Simple
  • Love Triangle end user consumer service application provider
  • Three Legs end user consumer service application provider
  • Two Legs consumer service application provider
  • Buenos Aires, Argentina San Jose, California
  • Token Dance consumer provider
  • Token Dance consumer provider requesting the request token
  • Token Dance consumer provider requesting the request token creates and returns a new request token
  • Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url
  • Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth
  • Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token
  • Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access
  • Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access provisional request token traded for access token
  • Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access provisional request token consumer saves the traded for access token access token for the user
  • Token Dance web applications desktop applications out of band applications like mobile and embedded
  • OAuth Params oauth_*
  • OAuth Params oauth_consumer_key oauth_consumer_secret
  • OAuth Params oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk"
  • OAuth Params oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096"
  • OAuth Params oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tRMTYa%2FWM%3D"
  • Forms of OAuth HTTP GET params HTTP POST params HTTP Headers XMPP - Jabber
  • HTTP GET params GET&http%3A%2F%2Fphotos.example.net %2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key %3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • HTTP HEADERS params GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm="http://photos.example.net/ photos" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa %2FWM%3D"
  • HTTP POST params POST /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa %2FWM%3D"
  • Ignore the details source: http://flic.kr/p/5NRADb
  • Libraries
  • Gems sudo gem install oauth github.com/mojodna/oauth
  • Plugins
  • Plugins ./script/plugin install git:// github.com/pelle/oauth-plugin.git github.com/pelle/oauth-plugin
  • OAuth on Rails rails osconrails -m rails-base-template.text cd osconrails ./script/plugin install git://github.com/pelle/oauth-plugin.git
  • Add the oauth-plugin ./script/generate oauth-plugin exists app/models/ create app/views/oauth create app/views/oauth_clients create app/models/client_application.rb create app/models/oauth_token.rb create app/models/request_token.rb create app/models/access_token.rb create app/models/oauth_nonce.rb create app/controllers/oauth_controller.rb create app/helpers/oauth_helper.rb create app/controllers/oauth_clients_controller.rb create app/helpers/oauth_clients_helper.rb create spec/models/client_application_spec.rb create spec/models/oauth_token_spec.rb create spec/models/oauth_nonce_spec.rb create spec/fixtures/client_applications.yml create spec/fixtures/oauth_tokens.yml create spec/fixtures/oauth_nonces.yml create spec/controllers/oauth_controller_spec_helper.rb create spec/controllers/oauth_controller_spec.rb create spec/controllers/oauth_clients_controller_spec.rb create app/views/oauth_clients/_form.html.erb create app/views/oauth_clients/new.html.erb create app/views/oauth_clients/index.html.erb create app/views/oauth_clients/show.html.erb
  • Update your routes ./config/routes.rb map.resources :oauth_clients map.authorize '/oauth/authorize',:controller=>'oauth',:action=>'authorize' map.request_token '/oauth/request_token',:controller=>'oauth',:action=>'request_token' map.access_token '/oauth/access_token',:controller=>'oauth',:action=>'access_token' map.test_request '/oauth/test_request',:controller=>'oauth',:action=>'test_request'
  • Filters for access control class ApiController < ApplicationController before_filter :login_or_oauth_required, :except => [:oauth_only_action] before_filter :oauth_required, :only => [:oauth_only_action]
  • That’s it!
  • Desert
  • Careful: nonce & timestamp
  • Careful: nonce & timestamp source: http://flic.kr/p/QtskX
  • Use separate DB’s source: http://flic.kr/p/6xtHZp
  • Signing with keys
  • Without Login
  • Privacy Wall
  • Privacy Wall
  • Privacy and the Law
  • Expire Tokens
  • CSRF & XSS - Careful!
  • Don’t Log Everything source: http://flic.kr/p/5VcQWT
  • Selective Logging source: http://flic.kr/p/5Zkwex
  • dev.riseup.net/privacy/ source: http://dev.riseup.net/privacy/
  • Except Telephony source: http://flic.kr/p/4DzMNu
  • Privacy is Freedom source: http://flic.kr/p/5anoq
  • Implementing Privacy OAuth & Token Madness evan@protest.net
  • Creative Commons Photos http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice http://www.flickr.com/photos/stevenh/360015104/ http://www.flickr.com/photos/cdevers/2785041073/ http://www.flickr.com/photos/myklroventine/3355106480/ http://www.flickr.com/photos/itsallaboutmich/498340461/ http://www.flickr.com/photos/charlesfred/100392094/ http://www.flickr.com/photos/purplemattfish/3126383038/ http://www.flickr.com/photos/exlibris/1579580258/ http://www.flickr.com/photos/57231735@N00/212544472/ http://www.flickr.com/photos/maniya/541287799/ http://www.flickr.com/photos/santos/1704875109/ http://www.flickr.com/photos/alphadesigner/354044811/ http://www.flickr.com/photos/roby72/553640207/ http://www.flickr.com/photos/smb_flickr/392254853/ http://www.flickr.com/photos/eatingchips/3345052094 http://www.flickr.com/photos/koluso/2808523989/ http://www.flickr.com/photos/lwr/60496147/ http://www.flickr.com/photos/razowsky/2630970947/ http://www.flickr.com/photos/crazyneighborlady/355232758/ http://www.flickr.com/photos/mwichary/2648035941/ http://www.flickr.com/photos/zanotti/304312092/