Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2018 JavaLand Deconstructing and Evolving REST Security

293 views

Published on

The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."

As a bonus at the end, we’ll peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.

Published in: Internet
  • Be the first to comment

2018 JavaLand Deconstructing and Evolving REST Security

  1. 1. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Deconstructing REST Security David Blevins Tomitribe
  2. 2. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “The nice thing about standards is you have so many to choose from.” - Andrew S. Tanenbaum
  3. 3. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Focus Areas • Beyond Basic Auth • Theory of OAuth 2.0 • Introduction of JWT • Google/Facebook style API security • Stateless vs Stateful Architecture • HTTP Signatures • Amazon EC2 style API security
  4. 4. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Baseline 1000 users x 3 TPS 4 hops 3000 TPS frontend 12000 TPS backend
  5. 5. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth (and its problems)
  6. 6. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}}
  7. 7. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 (no auth) 3000 TPS (LDAP) 12000 TPS (HTTP)
  8. 8. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 username+password Base64 15000 TPS (LDAP) Password Sent 12000 TPS (HTTP)
  9. 9. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 IP whitelisting 3000 TPS (LDAP) 12000 TPS (HTTP)
  10. 10. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “I don’t know who you are, … but sure!”
  11. 11. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Latveria Attacks
  12. 12. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth - Attacks Valid Password Sent 3000 TPS (HTTP+SSL) IP whitelisting 9000 TPS (LDAP) 12000 TPS (HTTP) Invalid Password Sent 6000 TPS (HTTP+SSL)
  13. 13. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 (and its problems)
  14. 14. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  15. 15. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  16. 16. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  17. 17. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  18. 18. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } Verify Password Generate Token
  19. 19. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}}
  20. 20. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
  21. 21. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
  22. 22. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
  23. 23. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}}
  24. 24. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 401
  25. 25. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }
  26. 26. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e
  27. 27. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
  28. 28. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
  29. 29. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
  30. 30. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 What have we achieved?
  31. 31. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 You have more passwords (at least your devices do)
  32. 32. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Term Alert • Password Grant??? • Logging in • Token? • Slightly less crappy password • Equally crappy HTTP Session ID
  33. 33. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend
  34. 34. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  35. 35. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Who the heck is 6Fe4jd7TmdE5y W2q0y6W2w ???????” “No idea, dude. Ask the token server.”
  36. 36. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend
  37. 37. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend 55% of all traffic
  38. 38. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 0 TPS (token checks) 0 hops 0 TPS backend
  39. 39. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Pointer Pointer State
  40. 40. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Access Pointer? Access Primary Key?
  41. 41. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 High Frequency Password Exchange Algorithm?
  42. 42. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Problem: how to detect if a file's contents have changed?
  43. 43. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing and Signing Symmetric and Asymmetric
  44. 44. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  45. 45. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 01010000010001000011011011101000110101001001100001010011110000 00111010101111111111111111000101111101001110111000100010000000000 111111101011100001001100100000101011111001101111111100111011000011 111011001101100100000101011110011001100001011011110101110110001
  46. 46. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 01010000010001000011011011101000110101001001100001010011110000 00111010101111111111111111000101111101001110111000100010000000000 111111101011100001001100100000101011111001101111111100111011000011 111011001101100100000101011110011001100001011011110101110110001
  47. 47. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 More Bits the Better
  48. 48. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  49. 49. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  50. 50. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  51. 51. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  52. 52. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Eagles beat Patriots 41 to 33
  53. 53. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Eagles beat Patriots 41 to 33
  54. 54. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Eagles beat Patriots 41 to 34
  55. 55. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Protecting the Hash HMAC (Symmetric) RSA (Asymmetric) abc123 abc123 private public
  56. 56. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 HMAC (Symmetric) Read & Write Read & Write Shared and equal relationship
  57. 57. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 RSA (Asymmetric) Write Read Read Read One side has more authority * the reverse is possible
  58. 58. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Encoding a Hash or Signature Binary 0010100011010111110000011011000100101000110011100111010010001000 0100011011011010000000100011110100111111010100011000100011010001 1101101001010101111100010011111110100000001001100010000000010111 0000000000100101000010110011000100001001011011010111101111101101 Hex 8af5c1468a399708b12d205e7ec588c52dd547fe0232027400526846485bef5b Base64 ivXBRoo5lwixLSBefsWIxS3VR_4CMgJ0AFJoRkhb71s Base85 MY4eTME."/Yq7))I`7,^/_*Aj!sh!!)dK"86bOe~
  59. 59. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 + JSon Web Tokens (JWT)
  60. 60. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 JSon Web Token • Pronounced “JOT” • Fancy JSON map • Base64 URL Encoded • Digitally Signed (RSA-SHA256, HMAC-SHA512, etc) • Built-in expiration
  61. 61. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Previously • 6Fe4jd7TmdE5yW2q0y6W2w
  62. 62. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Now • eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi 10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8 DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0 98ocefuv08TdzRxqYoEqYNo
  63. 63. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 • { "alg": “RS256", "typ": “JWT" } • { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": [ “twitter”, "mans-best-friend" ], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } • DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv 0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
  64. 64. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Now • header (JSON > Base64 URL Encoded) • describes how the token signature can be checked • payload (JSON > Base64 URL Encoded) • Basically a map of whatever you want to put in it • Some standard entries such as expiration • signature (Binary > Base64 URL Encoded • The actual digital signature • made exclusively by the /oauth2/token endpoint • If RSA, can be checked by anyone
  65. 65. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Subtle But High Impact Architectural Change
  66. 66. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 What we had (quick recap)
  67. 67. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Pull User Info From IDP
  68. 68. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Generate an Access Token (pointer)
  69. 69. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Insert both into DB
  70. 70. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Send Access Token (pointer) to client
  71. 71. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Results Client Holds Pointer Server Holds State
  72. 72. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 What we can do now (Hello JWT!)
  73. 73. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Pull User Info From IDP
  74. 74. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Format the data as JSON
  75. 75. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) RSA-SHA 256 sign JSON private
  76. 76. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Insert only pointer into DB (for revocation)
  77. 77. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Send Access Token (state) to client
  78. 78. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Client Holds State Server Holds Pointer Desired Results
  79. 79. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0 LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ 9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8 OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh VDaiqmhct098ocefuv08TdzRxqYoEqYNo", "expires_in":3600, "refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL", }
  80. 80. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message with JWT POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl 6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo User-Agent: curl/7.43.0
 Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  81. 81. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 + JWT Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification)(private key) (public key)
  82. 82. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “Not a chance!”
  83. 83. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “Sure thing!” Every Microservice Has the Gateway's Public Key
  84. 84. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Latveria Attacks (again)
  85. 85. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 + JWT Valid Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) (LDAP) 4 hops 12000 TPS backend 9000 TPS (signature verification) 12000 TPS (signature verification) Invalid Tokens Sent 6000 TPS (HTTP+SSL) (private key) (public key)
  86. 86. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 HTTP Signatures (Amazon EC2 style API Security)
  87. 87. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 HTTP Signatures • No “secret” ever hits the wire • Signs the message itself • Proves identity • Prevents message tampering • Symmetric or Asymmetric signatures • IETF Draft • https://tools.ietf.org/html/draft-cavage-http-signatures • Extremely simple • Does NOT eliminate benefits of JWT
  88. 88. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}} Take the full http message
  89. 89. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}} Select the parts you want to protect
  90. 90. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message (request-target): POST /painter/color/palette
 host: api.superbiz.io
 date: Mon, 19 Sep 2016 16:51:35 PDT content-length: 46 Create a Signing String
  91. 91. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message (request-target): POST /painter/color/palette
 host: api.superbiz.io
 date: Mon, 19 Sep 2016 16:51:35 PDT content-length: 46 Aj2FGgCdGhIp6LFXjxSxBsSwTp9i C7t7nmRZs-hrYcQ Hash the string (sha256 shown)
  92. 92. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message Aj2FGgCdGhIp6LFXjxSxBsSwTp9i C7t7nmRZs-hrYcQ Encrypt the hash (hmac shown) j050ZC4iWDW40nVx2oVwBEymX zwvsgm+hKBkuw04b+w=
  93. 93. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="(request-target) host date content-length”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
 Put it all together
  94. 94. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signed Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="(request-target) host date content-length”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  95. 95. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signature Auth Password Sent 0 TPS (HTTP) Signature (no auth) 3000 TPS (LDAP or Keystore) 12000 TPS (HTTP)
  96. 96. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signature Auth Password Sent 0 TPS (HTTP) Signature Signature 3000 TPS (LDAP or Keystore) 12000 TPS (HTTP)
  97. 97. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “Hey, Larry! Sure!” Issue Returns (bad)
  98. 98. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Proof-of-Possession (JWT + HTTP Signatures)
  99. 99. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Key Value Identity Information (JWT) Key ID Proof Of Identity (HTTP Signature)
  100. 100. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 { "alg": “RS256", "typ": “JWT" } { "token-type": "access-token", "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
  101. 101. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 { "alg": “RS256", "typ": “JWT" } { "token-type": "pop", "cnf":{ "kid": "green-1234" } "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
  102. 102. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2", "token_type":"pop", "expires_in":3600, "refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5 jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M", "key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ 2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1 MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd 2ZzIiwiYWxnIjoiSFMyNTYifQ" } Generate HMAC Key (Key Store)
  103. 103. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 JSON Web Key (encoded) eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ut eXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1M FdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZ WlSci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQ RVd5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53N XhzczhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2Nid kRocmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ
  104. 104. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 JSON Web Key (decoded) { "kty": "oct", "use": "sig", "kid": "orange-1234", "k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c wfs", "alg": "HS256" }
  105. 105. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signed OAuth 2.0 Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t L2 9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  106. 106. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 + JWT + Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification)
  107. 107. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution Specification Reference
  108. 108. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Observations • HTTP Signatures the only HTTP friendly approach • Signatures does not solve the “Identity Load” problem • OAuth 2 with JWT significantly improves IDP load • Plain OAuth 2 • HTTP Session-like implications • OAuth 2 with JWT • Signed cookie • Signing key to the future
  109. 109. Slides & Gateway Sign-up https://tribestream.io/javaland2018 Don't Miss this Talk Securing JAX-RS Today, 17:00 Room Quantum 3+4 Rudy De Busscher #RESTSecurity JavaLand

×