Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cqcon2015

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Cqcon2015

  1. 1. So, you wanna crypto (in AEM) Damien Antipa (@visiongeist) Antonio Sanso (@asanso) Adobe Research Switzerland
  2. 2. Who are these guys BTW Damien Antipa Senior UX Engineer Adobe Research Switzerland
  3. 3. Who are these guys BTW Antonio Sanso Software Engineer Adobe Research Switzerland Committer and PMC Member for Apache Sling VP (Chair) for Apache Oltu (OAuth Protocol Implementation in Java) Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll
  4. 4. What is Cryptography? DISCLAIMER – I am not a cryptographer Cryptography is the art of protecting information
  5. 5. Confidentiality vs Integrity Encryption Sign/Validate Integrity Protection
  6. 6. Encryption Plaintext: hello Ciphertext: ΠΞιιΘ AES 3DES RSA
  7. 7. Integrity protection HMAC RSA DSA Plaintext: hello Plaintext: hello
  8. 8. Cryptography in AEM
  9. 9. Why not DIY #1? I need to encrypt
  10. 10. Why not DIY #2? Plaintext: hello Ciphertext: ΠΞιιΘ AES ECB AES ECB
  11. 11. Encryption is NOT Authentication ★
  12. 12. Encrypt Than MAC
  13. 13. AEM Use Case: Encapsulate Token
  14. 14. Encapsulated Token Sticky session
  15. 15. JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJpc3MiOiJhZW0iLC JzdWIiOiJhc2Fuc28iL CJleHAiOjE0MzUwNj g3MTEsImlhdCI6MT QzNTA2NTExMX0. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"}Header Claims {"iss":"aem","sub":"asanso","exp":14350 11,"iat":1435065111} Signature HMAC ★
  16. 16. Encapsulated Token JWT {…,"sub":"asanso","exp":1435068711,"iat":1435065111, …} ★ /etc/key/hmac
  17. 17. AEM Use Case: CSRF Protection
  18. 18. Problem - CSRF CSRF = Cross site request forgery OWASP TOP 10
  19. 19. CSRF – How does the attack work? POST http://bank.com/transfer.do HTTP/1.1 acct=BOB&amount=100 The Attack (Mallory Page) <form action="http://bank.com/transfer.do" method="POST"> <input type="hidden" name="acct" value=”ANTONIO"/> <input type="hidden" name=amount" value="100000"/> <input type="submit" value=”Show pictures"/> </form> Browsers make requests (with cookies) to any other origin
  20. 20. CSRF – AEM <= 6.0 Protection Apache Sling Referrer Filter White list of allowed referrer for POST/PUT/DELETE operations Q. IS IT SAFE ? A. YES
  21. 21. CSRF – AEM <= 6.0 Protection HTTP HTTP Referer HTTPS HTTPS Referer HTTP HTTPS Referer HTTPS HTTP <html> <script> function load() { var postdata = '<form id=dynForm method=POST action='http://bank.com/transfer.do'>' + '<input type=hidden name=acct value=ANTONIO />' + '<input type=hidden name=amount value=100000 />' + '</form>'; top.frames[0].document.body.innerHTML=postdata; top.frames[0].document.getElementById('dynForm').submit(); } </script> <body onload="load()"> <iframe src="about:blank" id="noreferer"></iframe> </body> </html>
  22. 22. CSRF – Token (Classic solution) - Include a hidden form field <form action="http://bank.com/transfer.do" method="POST"> ... <input type="hidden" name="csrfToken" value=“ewqakjdsa”/> </form> - Store the token server side in a database - Check if the token match - Not cachable ! - Not scalable !
  23. 23. Goals of the CSRF implementation ★ - Easy to use - Transparent to application code - No dependencies - Auto refresh - Available on author and publish - No leakage to other domain - Browser support - IE8+ - Scalable and Cacheable - No sticky sessions - No HTTP Sessions
  24. 24. How to use it in a project If you are building an admin UI based on Granite, you need to do: NOTHING - we include it for you If you are building an independent or public facing login, you to: you need to add granite.csrf.standalone client library In both scenarios your Javascript code does NOT need to do anything or be aware of the CSRF token.
  25. 25. Ensure Integrity and Caching - Use JSON Web Token - Sign using system HMAC key - Validate the token using standard JWT validation - Short expiration time - Asynchronous update http://localhost:4502/libs/granite/csrf/token.json
  26. 26. Covered Communication - HTML forms. Make sure the synchronous POST includes the TOKEN - Make sure all non-GET AJAX calls include the token - “Asynchronous” file upload for legacy IE. Make sure that form submissions to dynamically created iFrames include the TOKEN.
  27. 27. MONKEY PATCH EVERYTHING
  28. 28. XMLHttpRequest.prototype.send = function(method) { this.setRequestHeader('CSRF-Token', globalToken); send.apply(this, arguments); };
  29. 29. function handleForm(ev) { var form = ev.target; if (form.nodeName.toLowerCase() === 'form') { input = document.createElement('input'); input.setAttribute('type', 'hidden'); input.setAttribute('name', 'CSRF-Token'); input.setAttribute('value', globalToken); form.appendChild(input); } } document.addEventListener( 'submit', handleForm, true /* capture phase */);
  30. 30. https://docs.adobe.com/docs/en/aem/6- 0/develop/ref/javadoc/com/adobe/granite/crypto/CryptoSupport.html https://docs.adobe.com/docs/en/aem/6- 0/develop/ref/javadoc/com/adobe/granite/oauth/jwt/package- summary.html Documentation Questions? Damien Antipa, Senior UX Engineer Twitter: @visiongeist Antonio Sanso, Software Engineer Twitter: @asanso

    Be the first to comment

    Login to see the comments

  • modyyash

    Jul. 15, 2015
  • jrpritchard

    Feb. 8, 2017
  • alessioma

    Nov. 29, 2017

Views

Total views

3,086

On Slideshare

0

From embeds

0

Number of embeds

60

Actions

Downloads

27

Shares

0

Comments

0

Likes

3

×