Successfully reported this slideshow.
Your SlideShare is downloading. ×

2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
JaverosdeColombia2018
#RESTSecurity @CesarHgt @tomitribe
Deconstruyendo y
evolucionando la seguridad
en servicios REST
Cés...
#RESTSecurity @CesarHgt @tomitribe
JaverosdeColombia2018
César Hernández
• Senior Software Engineer at Tomitribe
• Java Ch...
#RESTSecurity @CesarHgt @tomitribe
JaverosdeColombia2018
“The nice thing about standards is
you have so many to choose fro...

YouTube videos are no longer supported on SlideShare

View original on YouTube

Check these out next

1 of 105 Ad

2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest

Download to read offline

La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.

La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to 2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest (20)

Advertisement

More from César Hernández (20)

Recently uploaded (20)

Advertisement

2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest

  1. 1. JaverosdeColombia2018 #RESTSecurity @CesarHgt @tomitribe Deconstruyendo y evolucionando la seguridad en servicios REST César Hernández Tomitribe
  2. 2. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 César Hernández • Senior Software Engineer at Tomitribe • Java Champion • Duke’s Choice Award 2016 y 2017 • Oracle Certified Professional • +10 experience with Java EE • Open Source advocate, teacher and public speaker
  3. 3. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “The nice thing about standards is you have so many to choose from.” - Andrew S. Tanenbaum
  4. 4. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Áreas de Enfoque • Más allá de Basic Auth • Teoría de OAuth 2.0 • Introducción a JWT • Google/Facebook style API security • Arquitectura Stateless versus Stateful • HTTP Signatures • Amazon EC2 style API security
  5. 5. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Línea Base 1000 usuarios x 3 TPS 4 saltos 3000 TPS frontend 12000 TPS backend
  6. 6. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Basic Auth (y sus problemas)
  7. 7. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Mensaje en Basic Auth POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}}
  8. 8. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 (no auth) (LDAP) 12000 TPS (HTTP) 3000 TPS
  9. 9. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 username+password Base64 15000 TPS (LDAP) Password Sent 12000 TPS (HTTP)
  10. 10. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 IP whitelisting 3000 TPS (LDAP) 12000 TPS (HTTP)
  11. 11. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Dame toda la información del salario de José.” “No se quien eres, … pero por supuesto!”
  12. 12. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Ataque desde Latveria
  13. 13. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Ataque de fuerza bruta: Basic Auth Password válidos 3000 TPS (HTTP+SSL) IP whitelisting 9000 TPS (LDAP) 12000 TPS (HTTP) Passwords inválidos 6000 TPS (HTTP+SSL)
  14. 14. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 (y sus problemas)
  15. 15. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  16. 16. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  17. 17. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  18. 18. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  19. 19. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } Verificación de Password Generación de Token
  20. 20. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verificación de Password Generación de Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", }
  21. 21. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}}
  22. 22. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
  23. 23. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
  24. 24. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
  25. 25. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}}
  26. 26. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 401
  27. 27. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }
  28. 28. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }
  29. 29. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e
  30. 30. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
  31. 31. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
  32. 32. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
  33. 33. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 ¿Qué hemos logrado?
  34. 34. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Ahora tenemos más passwords (al menos tus dispositivos los tienen)
  35. 35. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Terminología de nuevo… • Password Grant??? • Logging in • Token? • Un password ligeramente ofuscado • Equivalente a un HTTP session ID mejorado levemente
  36. 36. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 Request enviados (Authorization: Bearer …) 3000 TPS (HTTP+SSL) 3000 TPS (Verificaciones de tokens) Password enviados (post oauth2/token …) 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 saldos 12000 TPS backend
  37. 37. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  38. 38. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Quién es 6Fe4jd7TmdE5y W2q0y6W2w ???????” “No tengo idea. Pregúntale al servidor de tokens.”
  39. 39. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend
  40. 40. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend 55% of all traffic
  41. 41. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 0 TPS (token checks) 0 hops 0 TPS backend
  42. 42. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 Pointer Pointer State
  43. 43. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Access Token Access Pointer? Access Primary Key?
  44. 44. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 High Frequency Password Exchange Algorithm?
  45. 45. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Hashing, Signing Symmetric and Asymmetric
  46. 46. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Hashing Data Tiene como entrada un conjunto de elementos, que suelen ser cadenas, y los convierte en un rango de salida finito, normalmente cadenas de longitud fija.
  47. 47. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 More Bits the Better digests (hash values)
  48. 48. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 99 Bottles of Beer mingus:~/bar 04:16:42 $ hashes all /tmp/party-time.txt XxHash32 9237490d XxHash64 81c4196cc7a01049 MD5 963462e4849e7c266df928b44b004190 SHA-1 b3be8c8879b31e7af4067f2769e4df37e6dd7690 SHA-256 0ef285da8792e1b78825f14ffc485a3843c66c4f481411978d0b4612be963383 SHA-512 376a589fd4b7f070119a8193e6d922df05d2f200c96927351bef66b688bffcca 3e990aa2f720494e95967bcbbfc804e86ec2eefea2f820e9a1aa2f3da5146fe7
  49. 49. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 99 Bottles of Water? mingus:~/home 04:27:14 $ hashes all /tmp/party-time.txt #modified XxHash32 2045608c XxHash64 774507c9e384ea35 MD5 662028bba25e1e398ff8538cae9cd7c6 SHA-1 e11c127c072e09119fd7b3f35bc7ce1fd52b9b7a SHA-256 671d8e4af11d7ee65c1d51ab29303a1afc7439402c2eb61505cfb5c698ff419c SHA-512 fe0674683808e37bcad624d98426977c0936c15280922b2057efc33e4ca28127 8ea852d5450181fae726807e9c6e5e36a6823e7750948df89c6095ddbdaa4816
  50. 50. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Protegiendo el Hash HMAC (Symmetric) RSA (Asymmetric) (public key)
  51. 51. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Asymmetric key: https://youtu.be/E5FEqGYLL0o
  52. 52. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 + JSon Web Tokens (JWT)
  53. 53. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 JSon Web Token • Pronunciado “YOT” • JSON map con data de usuario • Base64 URL Encoded • Digitally Signed (RSA-SHA256, HMAC-SHA512, etc) • Mecanismo de expiración
  54. 54. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Previamente un Access Token • 6Fe4jd7TmdE5yW2q0y6W2w
  55. 55. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Access Token ahora (JWT) • eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi 10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8 DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0 98ocefuv08TdzRxqYoEqYNo
  56. 56. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Access Token Now • header (JSON > Base64 URL Encoded) • Describe como la firma (signature) del token puede ser verificada • payload (JSON > Base64 URL Encoded) • Json map de información que desees incluir • Campo estándar como el de Expiración • signature (Binary > Base64 URL Encoded) • La firma digital • Hecha exclusivamente por el endpoint: /oauth2/token
  57. 57. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 • { "alg": “RS256", "typ": “JWT" } • { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": [ “twitter”, "mans-best-friend" ], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } • DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv 0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
  58. 58. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  59. 59. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  60. 60. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Ligero pero con alto impacto en la arquitectura
  61. 61. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 ¿Qué tenemos hasta el momento? (repaso)
  62. 62. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Data completa del usuario desde ldap
  63. 63. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Generación de Access Token (pointer)
  64. 64. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Ambos se insertan en la BD
  65. 65. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Envío del Access Token (pointer) hacia el cliente
  66. 66. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Resultado final cliente permanece con el Pointer Server almacena State
  67. 67. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 ¿Qué podemos hacer ahora? (Hello JWT!)
  68. 68. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Data completa del usuario desde ldap
  69. 69. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) La data se representa en JSON
  70. 70. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) JSON es firmado RSA-SHA 256
  71. 71. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Se inserta solamente el pointer en la DB (para revocaciones)
  72. 72. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Envío del Access Token (estado) hacia el cliente
  73. 73. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Cliente permanece con State Server almacena el Pointer Resultado obtenido
  74. 74. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  75. 75. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verifica Password Genera Token Firmado (Signed)
  76. 76. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0 LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ 9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8 OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh VDaiqmhct098ocefuv08TdzRxqYoEqYNo", "expires_in":3600, "refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL", }
  77. 77. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Mensaje OAuth 2.0 con JWT POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl 6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo User-Agent: curl/7.43.0
 Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  78. 78. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 + JWT Tokens enviados 3000 TPS (HTTP+SSL) 0.55 TPS (Verificaciones refresh token) OAuth 2 (LDAP) 4 saltos 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification) Password enviados (post oauth2/token …) 1000/daily (HTTP+SSL)
  79. 79. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “No!” “Dame toda la información del salario de José.”
  80. 80. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Claro!” “Dame toda la información del salario de José.”
  81. 81. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 + JWT Valid Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) (LDAP) 4 hops 12000 TPS backend 9000 TPS (signature verification) 12000 TPS (signature verification) Invalid Tokens Sent 6000 TPS (HTTP+SSL)
  82. 82. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 https://connect2id.com/products/nimbus-jose-jwt Librería JWT https://github.com/jwtk/jjwt https://github.com/auth0/java-jwt
  83. 83. Demo #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  84. 84. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 HTTP Signatures (Amazon EC2 style API Security)
  85. 85. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 HTTP Signatures • Ningún “secreto” toca el cable • El firmar el mensaje completo • Provee identidad • Previene el compromiso o alteración del mensaje • Soporta firmas Symmetric or Asymmetric • IETF Draft • https://tools.ietf.org/html/draft-cavage-http-signatures • Extremadamente simple • No eliminate el beneficio del JWT
  86. 86. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Signature Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Signature keyId=“El-Nombre-De-Mi-Llave”, algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  87. 87. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Signature closeup Signature keyId=“my-key-name", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=
  88. 88. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Signature Auth Passwords enviados 0 TPS (HTTP) Signature (no auth) 3000 TPS (LDAP o Keystore) 12000 TPS (HTTP)
  89. 89. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Signature Auth Signature Signature 3000 TPS (LDAP o Keystore) 12000 TPS (HTTP) Passwords enviados 0 TPS (HTTP)
  90. 90. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Hola, Larry! Claro!” Issue Returns (bad) “Dame toda la información del salario de José.”
  91. 91. Demo #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018
  92. 92. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2.0 Con prueba de posesión (JWT + HTTP Signatures)
  93. 93. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Key Value Información de Identidad (JWT) Key ID Prueba de identidad (HTTP Signature)
  94. 94. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 { "alg": “RS256", "typ": “JWT" } { "token-type": "access-token", "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
  95. 95. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 { "alg": “RS256", "typ": “JWT" } { "token-type": "pop", "cnf":{ "kid": "green-1234" } "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
  96. 96. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verifica Password Generate Signed Token Genera HMAC Key (Key Store)
  97. 97. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) Verifica Password Genera Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2", "token_type":"pop", "expires_in":3600, "refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5 jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M", "key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ 2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1 MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd 2ZzIiwiYWxnIjoiSFMyNTYifQ" } Genera HMAC Key (Key Store)
  98. 98. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 JSON Web Key (encoded) eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ut eXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1M FdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZ WlSci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQ RVd5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53N XhzczhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2Nid kRocmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ
  99. 99. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 JSON Web Key (decoded) { "kty": "oct", "use": "sig", "kid": "orange-1234", "k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c wfs", "alg": "HS256" }
  100. 100. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Signed OAuth 2.0 Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t L2 9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  101. 101. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth 2 + JWT + Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification)
  102. 102. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution Specification Reference
  103. 103. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Observations • HTTP Signatures the only HTTP friendly approach • Signatures does not solve the “Identity Load” problem • OAuth 2 with JWT significantly improves IDP load • Plain OAuth 2 • HTTP Session-like implications • OAuth 2 with JWT • Signed cookie • Signing key to the future
  104. 104. Gracias Diapositivas y Gateway Sign-up https://tribestream.io/join-tag-guatemala-jug/ #RESTSecurity Javeros de Colombia

×