Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing APIs

1,090

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,090
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Prabath SiriwardenaSenior Architect & Chair, Integration MC Johann Nallathamby Software Engineer, Integration MC
  • 2. AWS  Signature  -­‐  1  •  Split  the  query  string  based  on  &  and  =  characters  into  a  series  of  key-­‐value  pairs.  •  Sort  the  pairs  based  on  the  keys.  •  Append  the  keys  and  values  together,  in  order,  to  construct  one  big  string  (key1  +   value1  +  key2  +  value2  +  ...  ).  •  Sign  that  string  using  HMAC-­‐SHA1  and  your  secret  access  key.  
  • 3. AWS  Signature  -­‐  2  •  You  include  additional  components  of  the  request  in  the  string  to  sign  •  You  include  the  query  string  control  parameters  (the  equals  signs  and  ampersands)  in  the   string  to  sign  •  You  sort  the  query  string  parameters  using  byte  ordering  •  You  URL  encode  the  query  string  parameters  and  their  values  before  signing  the  request  •  You  can  use  HMAC-­‐SHA256  when  you  sign  the  request  (we  prefer  HMAC-­‐SHA256,  but  we  still   support  HMAC-­‐SHA1)  •  You  must  set  the  SignatureMethod  request  parameter  to  either  HmacSHA256  or  HmacSHA1   to  indicate  which  signing  method  youre  using  •  You  must  set  the  SignatureVersion  request  parameter  to  2  
  • 4. http://s3.amazonaws.com/doc/s3-­‐developer-­‐guide/RESTAuthentication.html  
  • 5. http://blog.programmableweb.com/2010/08/16/twitter-­‐basic-­‐auth-­‐will-­‐truly-­‐disappear-­‐august-­‐30/  
  • 6. Third-­‐party  applications  are  required  to  store  the  resource  owners  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  • 7. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  • 8. Third-­‐party  applications  gain  overly  broad  access  to  the  resource  owners  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  • 9. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  • 10. Compromise  of  any  third-­‐party  application  results  in  compromise  of  the  end-­‐users  password  and  all  of  the  data   protected  by  that  password.  
  • 11. http://www.flickr.com/services/api/misc.userauth.html  
  • 12. http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html  
  • 13. http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html  
  • 14. •  Complexity  in  validating  and  generating  signatures.  •  No  clear  separation  between  Resource  Server  and   Authorization  Server.  •  Browser  based  re-­‐redirections.  
  • 15. BasicAuth   OAuth  Handshake  
  • 16. BasicAuth  OAuth  Handshake  
  • 17. Runtime  
  • 18. Bearer   MAC   Runtime  
  • 19. Bearer   MAC   Bearer  Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
  • 20. Request  with  Bearer  GET  /resource/1  HTTP/1.1  Host:  example.com  Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
  • 21. Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
  • 22. Request  with  MAC  GET  /resource/1  HTTP/1.1  Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                ts="1336363200"                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime  

×