Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Nomura Research Institute
Nat Sakimura
Chairman of the Board, OpenID Foundation
Research Fellow, Nomura Research Institute...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
?Do you use Personal Finance Softw...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
When NRI started screen scraping i...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
4
WRONG!
4
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
After 15 years, we are still scree...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
6
The situation is changing though.
...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
Fintech is gaining a lot of intere...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
8
API is known to be one of the thre...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
I
n JSON , XML + OAuth 2.0
INDUSTR...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
REGULATORY PUSH>
EU Payment Servi...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
11
“LEGO Model” provided by APIs cre...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
Automation through API makes it p...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
Saying “use #oauth” does not
solv...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
Because OAuth 2.0 is a framework ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
and needs to be profiled to suit ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
RFC6749 state of the source, dest...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
OAuth 2.0 related options and the...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
e.g., tighten up the source, dest...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
To create an appropriate OAuth pr...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
20
Example of factors:
20	
n 1 Serve...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
OAuth’s primary security assumpti...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
22
Message Authentication Problems
n...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
Message Source Authentication Pro...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
Message Destination Authenticatio...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
Identity and authentication probl...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2626	Created by @nishantk
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
27
Message confidentiality problems
...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
Token Phishing / Token Replay
n C...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
29
To solve these problems, OpenID F...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
30
Why OpenID Foundation?
• Authors ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
31
In a IPR safe and Completely Open...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
32
WG works through the weekly confe...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
33
Working Together
33	
OpenID FAPI
...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
34
Current Specs.
n Financial Servic...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
35
Financial Services – Financial AP...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
36
Adoption among the industry is gr...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
37
Japanese Banker’s Association Rec...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
38
Open Banking Implementation Entit...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
39
?How do you know that it has been...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
40
A certification test suite is bei...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
41
Join the group!
https://openid.ne...
Upcoming SlideShare
Loading in …5
×

OpenID Foundation FAPI WG: June 2017 Update

18,455 views

Published on

Overview and the status update on the OIDF's Financial API (FAPI) WG.

Published in: Internet
  • Be the first to comment

OpenID Foundation FAPI WG: June 2017 Update

  1. 1. Nomura Research Institute Nat Sakimura Chairman of the Board, OpenID Foundation Research Fellow, Nomura Research Institute Foundation Financial API WG •  OpenID® is a registered trademark of OpenID Foundation. •  *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. June 2017 Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit http://openid.net/wg/fapi/
  2. 2. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 ?Do you use Personal Finance Software? What are the current problems?
  3. 3. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 When NRI started screen scraping in 2001, we thought it will be a temporally solution. 3 “There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
  4. 4. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 WRONG! 4
  5. 5. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 After 15 years, we are still screen scraping. 5
  6. 6. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 6 The situation is changing though. 6
  7. 7. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 Fintech is gaining a lot of interest lately (SOURCE)Google Trends
  8. 8. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 8 API is known to be one of the three main component of FinTech 8 Use cases for Identity Federation API in Financial sector 1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management (Source) Nikkei BP: Fintech Revolution P.4 (Source)Nikkei BP: FinTech Yearbook
  9. 9. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 I n JSON , XML + OAuth 2.0 INDUSTRY PUSH > US: FS-ISAC Durable Data API 9 (Source) FS-ISAC FSDDA WG OpenID Financial API
  10. 10. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017. 10 (SOURCE) ODI OBWG: The Open Banking Standard (2016) JSON REST OAuth OpenID Connect
  11. 11. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 11 “LEGO Model” provided by APIs creates a new customer segment “B-to-D” Laurens Hamerlinck Innovation Manager ABN AMRO Bank @lhamerlinck •  Open Banking APIs are drawing fintech companies to UK. •  API creates Lego model. You do not need to build everything yourself. •  OEaS:=Our Expertise as a Service •  Financial sector becomes more Open. Not only in EU. Also in US and elsewhere. •  iOS app platforms did not have any developers in the beginning but see what happened by opening up the ecosystem. •  What happened to a company who did not open it? •  B-to-D: API = New Customer Segment. 『Bank as a Platform: Exploring a new Role in the Age of Technology』 (European Identity Summit 2017 講演より)
  12. 12. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 Automation through API makes it possible for financial institutions to provide services to hitherto unreachable segment. n  Operational loan provided to small business. l Banks providing operational loans to a small business through automated credit clearance based on the ledger data using Artificial Intelligence. n  Transaction insurance offered to SME. l Transaction insurance has only been offered to large enterprises due to the low insurance rate compared to the cost of the evaluation of the deals. l With APIs, the cost is significantly driven down and now it can be offered to SMEs. 12 42.5 57.5 Gross Value Add Large SME 1 99 Number Large SME Reaching the hitherto inaccessible (due to benefit/cost) market (source) Eurostat: Number of enterprises, persons employed and gross value added (GVA) and the share of SMEs, 2012.
  13. 13. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 Saying “use #oauth” does not solve the problem. 13 -- Mark O’Neill, Gartner (SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016 @APIDays Paris 2016 In the era of “Mobile First”, OAuth is an obvious choice for API protection but …
  14. 14. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 Because OAuth 2.0 is a framework as the name indicates 14
  15. 15. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 and needs to be profiled to suit the circumstances and use case. 15 Valueatstake Environmental Control LevelHigh Low High Low Social sharing Closed circuit Factory application Financial API – Read & Write For example: Basic OAuth is good enough Bearer token Not OK Stock RFC6749 and 6750 is not enough. Not all security requirements need to be fulfilled by OAuth. Need to be careful in the case of higher value at stake in a low environmental control scenario, such as an internet banking. Financial API – Read only
  16. 16. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 RFC6749 state of the source, destination, and message authentication 16   Sender Authentication Receiver Authentication Message Authentication Authorization Request Indirect None None Authorization Response None None None Token Request Weak Good Good Token Response Good Good Good
  17. 17. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 OAuth 2.0 related options and the security levels Security Level Authorization types Description JWS Authz Req w/Hybrid Flow Authz Request protected Hybrid Flow*1 (confidential client) Authz Response protected (ID Token acts as the detatched signature for the response.) Code Flow (confidential client) Client authentication Implicit Flow No client authentication Plain OAuth Anonymous *1) state injection taken care of by including ‘s_hash’ Authorization Request/Response types and the security levels Token Types and the security levels Security Level Token Type Description Sender Constrained Token Only the named Party with a correct Key can use the token Bearer Token Anyone can use The token 17
  18. 18. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 e.g., tighten up the source, destination, and message authentication 18   Sender Authentication Receiver Authentication Message Authentication Authorization Request Request Object Request Object Request object Authorization Response Hybrid Flow Hybrid Flow Hybrid Flow Token Request Good Good Good Token Response Good Good Good
  19. 19. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 To create an appropriate OAuth profile for financial API use, we need to consider multiple factors: 19 These are not taken into account too often resulting in too many unsafe OAuth 2.0 implementations.
  20. 20. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 20 Example of factors: 20 n 1 Server/client assumption n Message authentication n Source authentication n Desitination authentication n User authentication n Message confidentiality n Token Phishing/Replay Financial API Profile needs to Solve them all.
  21. 21. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 OAuth’s primary security assumption is that there is only 1 Authz Server per client: n In case of a Personal Finance Management Software/Client, it will necessarily have multiple Authz Servers. l Make sure to have virtual separation, i.e., having different redirect endpoints for each server to avoid Authz server mix-up attack etc. v.s. C1O C1R UA A1Z C2R C2O A2Z 1 Authz Server / client Model C2R C1O C1R UA A1Z C2O A2Z n Authz Server / client Model
  22. 22. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 22 Message Authentication Problems n Communication through UA are not authenticated and thus can be tainted, but often used without taint check. n Neither ‘code’ nor ‘state’ can be taken at its face value, but we do... C1O C1R UA A1Z TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state) Not authenticated (code, state)
  23. 23. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 Message Source Authentication Problems n Since the authorization request and response goes through the browser, the receiving ends cannot be sure of who is the real sender. C1O C1R UA A1Z TLS terminates here. A1Z cannot verify that the Authz request is from C1O C1R cannot verify that the Authz response is from C1O
  24. 24. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 Message Destination Authentication Problems n We are in a mobile app world, right? n “Code phishing” on public clients a.k.a. mobile apps n Custom scheme etc. can be hijacked by malware on the device. l It has been exploited against popular apps. l RFC7636 OAuth PKCE exists for the mitigation of this problem. 24 Good App Bad App UA A1Z Redirect uri = goodapp:// I am goodapp!
  25. 25. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Identity and authentication problems 25 n OAuth has no notion of user identity. n User authentication is “out of scope”.
  26. 26. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2626 Created by @nishantk
  27. 27. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27 Message confidentiality problems n Authorization request is not encrypted in the application layer thus can be seen by the Man-in-the-browser etc. n And we know that malware abounds. l The most popular Online Banking attack in Japan since 2014 is man-in-the-browser. C1O C1R UA A1Z TLS terminates here. Malware can see the payload
  28. 28. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Token Phishing / Token Replay n Clients sends token requests and resource requests to forged/compromised servers. Then, these servers can act as a hostile client to replay the request. l E.g., ▪  Sending a fake email to developer that the endpoints has been changed. (We know that about 1 in 20 trained engineer gets phished.) ▪  Combination of TLS certs mis-issuances and DNS spoofing, etc. ß there seems to be real examples for the attacks against banks. 28 Client XYZ Attacke r ABC Bank Hi I am ABC Bank API Hi I am Client XYZ
  29. 29. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 29 To solve these problems, OpenID Foundation Financial API (FAPI) WG was formed. n Scope l The goal of FAPI is to provide JSON data schemas, REST APIs, and security & privacy recommendations and protocols to: ▪  applications to utilize the data stored in the financial account, ▪  applications to interact with the financial account, and ▪  users to control the security and privacy settings. n Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered. 29 (Source) OpenID Foundation Financial API WG draft charter JSON REST OAuth OpenID Connect (SOURCE) ODI OBWG: The Open Banking Standard (2016) For details, see: https://openid.net/wg/fapi/
  30. 30. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 30 Why OpenID Foundation? • Authors of OAuth, JWT, JWS, OpenID Connect are all here. Right People • Royalty Free, Mutual Non-Assert, so that everyone can use it freely.Right IPR • Free to join WGs. (Sponsors welcome) • WTO TBT Compliant Process. Right Structure 30
  31. 31. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 31 In a IPR safe and Completely Open Environment n IPR regime l Mutually assured patent non-assert l Trademark (OpenID®) control against false claim of the spec support l Certification support to reinforce the interoperability n Completely Open Environment l Free of charge to join the WG as long as you file the IPR agreement l Bitbucket (git) to track the changes ▪  File an issue and send a pull request! n Made possible by these sponsors! 31 Sustaining corporate members (board members) Corporate members Non-profit members
  32. 32. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 32 WG works through the weekly conference calls (alternating times for the Atlantic and the Pacific time zones), the mailing list, and the project repository ( https://bitbucket.org/openid/fapi/ ) 32 Issue Tracking Meeting Notes etc. Commit History Pull Request Draft Text
  33. 33. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 33 Working Together 33 OpenID FAPI (Chair) (Co-Chair)(Co-Chair) (UK OBIE Liaison) Liaison Organizations
  34. 34. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 34 Current Specs. n Financial Services – Financial API – l Part 1: Read Only API Security Profile http://openid.net/specs/openid-financial-api-part-1.html ▪  Implementer’s Draft (I-D) ~Implementations going on l Part 2: Read and Write API Security Profile http://openid.net/specs/openid-financial-api-part-2.html ▪  Under Public Review l Part 3: Open Data API ▪  Waiting for the UK OBIE Contribution l Part 4: Protected Data API and Schema - Read only ▪  Bank Account – Based on the US FS-ISAC Contribution l Part 5: Protected Data API and Schema - Read and Write ▪  Waiting for UK OBIE Contribution ▪  Using Claims Request to obtain granular consent 34 Swagger files are going to be provided Probably need to be registry entries rather than “Parts”
  35. 35. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 35 Financial Services – Financial API -- Part 1: Read Only API Security Profile n Note: ISO Keywords, “shall”, “should”, “may”, “can” are used. n Lots of “shall”s. Need to fulfill them all for an adequate security level. 35 (出所)Financial Services – Financial API -- Part 1: Read Only API Security Profile Implementer’s Draft
  36. 36. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 36 Adoption among the industry is great! 36
  37. 37. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 37 Japanese Banker’s Association Recommendation (16 March 2017) 37
  38. 38. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 38 Open Banking Implementation Entity Announcement (17 May 2017)
  39. 39. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 39 ?How do you know that it has been implemented correctly? 39
  40. 40. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 40 A certification test suite is being planned to be provided online 40 For more details, see http://openid.net/certification/ Passing publicly available test suit Self declaration and public listing We currently only have a generic test for Basic OpenID Connect capabilities. We need to add tests for FAPI. Directed funding is being sought now.
  41. 41. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 41 Join the group! https://openid.net/wg/fapi/ 41

×