2018 Madrid JUG Deconstructing REST Security

MadridJUG
#RESTSecurity @brunobat_ @tomitribe
Deconstructing REST
Security
Bruno Baptista
Tomitribe

MadridJUG
“The nice thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum

#RESTSecurity @dblevins @tomitribe
MadridJUG
Focus Areas
• Beyond Basic Auth
• Theory of OAuth 2.0
• Introduction of JWT
• Google/Facebook style API security
• Stateless vs Stateful Architecture
• HTTP Signatures
• Amazon EC2 style API security

MadridJUG
Baseline Architecture
1000 users
x 3 TPS
4 hops
3000 TPS
frontend
12000 TPS
backend

MadridJUG
Basic Auth
(and its problems)

MadridJUG
Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}

MadridJUG
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
(no auth)
3000 TPS
(LDAP)
12000 TPS
(HTTP)

MadridJUG
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
username+password
Base64
15000 TPS
(LDAP)
Password Sent
12000 TPS
(HTTP)

MadridJUG
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
IP
whitelisting
3000 TPS
(LDAP)
12000 TPS
(HTTP)

MadridJUG
“Hey, give me all
of Joe’s salary
information.”
“I don’t know
who you are,
…
but sure!”

MadridJUG
Latveria Attacks

MadridJUG
Basic Auth - Attacks
Valid
Password Sent
3000 TPS
(HTTP+SSL) IP
whitelisting
9000 TPS
(LDAP)
12000 TPS
(HTTP)
Invalid
Password Sent
6000 TPS
(HTTP+SSL)

MadridJUG
OAuth 2.0
(and its problems)

MadridJUG

MadridJUG
OAuth 2 - Password Grant
(LDAP)
(Token Store)
Verify
Passwor
d
Generate
Token

MadridJUG
OAuth 2.0 Message
POST /painter/color/object HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
Accept: */*
Content-Length: 45
{"color":{"r":0,"g":0,"b":255,"name":"blue"}}

MadridJUG
OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Accept: */*
Content-Length: 45
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

MadridJUG
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Accept: */*
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

MadridJUG
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

MadridJUG
OAuth 2.0 Message
POST /painter/color/stroke HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":255,"g":200,"b":255,"name":"orange"}}

MadridJUG
OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Passwor
d
Generate
Token

MadridJUG
Old pair
• Access Token 2YotnFZFEjr1zCsicMWpAA
• Refresh Token tGzv3JOkF0XG5Qx2TlKWIA
New pair
• Access Token 6Fe4jd7TmdE5yW2q0y6W2w
• Refresh Token hyT5rw1QNh5Ttg2hdtR54e

MadridJUG
OAuth 2.0 Message
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
Accept: */*
Content-Length: 46
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

MadridJUG
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Accept: */*
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

MadridJUG
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

MadridJUG
What have we achieved?

MadridJUG
You have more passwords
(at least your devices do)

MadridJUG
Term Alert
• Password Grant???
• Logging in -> grant process
• Token?
• Slightly less crappy password
• Equally crappy HTTP Session ID

MadridJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend

MadridJUG
“Who the heck
is
6Fe4jd7TmdE5y
W2q0y6W2w
???????”
“No idea, dude.
Ask the token
server.”

MadridJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelistin
g
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend

MadridJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend
55% of all traffic

MadridJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
0 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
0 TPS
(token checks)
0 hops
0 TPS
backend

MadridJUG
OAuth 2
Pointer Pointer
State

MadridJUG
OAuth 2.0
High Frequency Password
Exchange Algorithm?

MadridJUG
Problem: how to detect if a file's
contents have changed?

MadridJUG
Hashing and Signing
Symmetric and Asymmetric

MadridJUG
A Hash represents a unique file
The bigger hash, the less collision probability
SHA-256 is used now

MadridJUG
Real Madrid 3 - Barcelona 1

MadridJUG
Real Madrid 3 - Barcelona 3

MadridJUG
HMAC (Symmetric)
RSA (Asymmetric)
abc123 abc123
private
public

MadridJUG
Encoding a Hash or Signature
openssl genpkey -algorithm RSA -out private_key.pem --pkeyopt rsa_keygen_bits:1024
openssl rsa -pubout -in private_key.pem -out public_key.pem
openssl dgst -sha256 -sign private_key.pem -out checksums_data.txt.sign checksums_data.txt
openssl dgst -sha256 -verify public_key.pem -signature checksums_data.txt.sign checksums_data.txt

MadridJUG
OAuth 2.0
+
JSon Web Tokens (JWT)

MadridJUG
JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expiration

MadridJUG
Access Token Previously
• 6Fe4jd7TmdE5yW2q0y6W2w

MadridJUG
Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoi
YWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhb
mltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3V
wZXJiaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0d
GVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO
DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMD
Y4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DB
jiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GV
M73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGD
L_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

MadridJUG
Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expiration
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone

MadridJUG
• { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F
0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuad
hVDaiqmhct098ocefuv08TdzRxqYoEqYNo

MadridJUG
Subtle But High Impact
Architectural Change

MadridJUG
What we had
(quick recap)

MadridJUG
(LDAP)
Pull User Info
From IDP

MadridJUG
(LDAP)
Generate an
Access Token
(pointer)

MadridJUG
(LDAP)
Insert both
into DB

MadridJUG
(LDAP)
Send Access Token (pointer)
to client

MadridJUG
Results
Client Holds
Pointer
Server Holds
State

MadridJUG
What we can do now
(Hello JWT!)

MadridJUG
(LDAP)
Format the data
as JSON

MadridJUG
(LDAP)
RSA-SHA 256
sign JSON private

MadridJUG
(LDAP)
Insert only
pointer
into DB
(for revocation)

MadridJUG
(LDAP)
Send Access Token (state)
to client

MadridJUG
Client Holds
State
Server Holds
Pointer
Desired
Results

MadridJUG
(LDAP)
(Token ID Store)
Verify
Passwor
d
Generate
Signed
Token

MadridJUG
OAuth 2.0 Message with JWT
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Accept: */*
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

MadridJUG
OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks
each 30m)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verification)
12000 TPS
(signature verification)(private key)
(public key)

MadridJUG
“Hey, give me all
of Joe’s salary
information.”
“Not a chance!”

MadridJUG
“Hey, give me all
of Joe’s salary
information.”
“Sure thing!”
Every Microservice Has the Gateway's Public Key

MadridJUG
Latveria Attacks
(again)

MadridJUG
OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
12000 TPS
Invalid
Tokens Sent
6000 TPS
(HTTP+SSL)
(private key)
(public key)

MadridJUG
HTTP Signatures
(Amazon EC2 style API Security)

MadridJUG
HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves identity
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Draft
• https://tools.ietf.org/html/draft-cavage-http-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT

MadridJUG
Signature Message
Authorization: Signature keyId=“my-key-name",
algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Length: 46

MadridJUG
Signature closeup
Signature
keyId=“my-key-name",
algorithm="hmac-sha256",
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=
"

MadridJUG
Signature Auth
Password Sent
0 TPS
(HTTP)
Signature (no auth)
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

MadridJUG
Signature Auth
Password Sent
0 TPS
(HTTP)
Signature Signature
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

MadridJUG
“Hey, give me all
of Joe’s salary
information.”
“Hey, Larry!
Sure!”
Issue Returns
(bad)

MadridJUG
OAuth 2.0 Proof-of-Possession
(JWT + HTTP Signatures)

MadridJUG
Key Value
Identity Information
(JWT)
Key ID
Proof Of Identity
(HTTP Signature)

MadridJUG
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "access-token",
"scopes": ["twitter”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb
4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cu
adhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token

MadridJUG
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "pop",
"cnf":{ "kid": "green-1234" }
"scopes": ["twitter”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb
4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cu
adhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token

MadridJUG
(LDAP)
(Token ID Store)
Verify
Passwor
d
Generate
Signed
Token
Generate
HMAC
Key
(Key Store)

MadridJUG
JSON Web Key (encoded)
eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2UteXl
qOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1MFdNeV
hxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlSci1fQk9v
WEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5WWFuQlN
Gc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZPeE5Qdj
ZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd2ZzIiwiY
WxnIjoiSFMyNTYifQ

MadridJUG
JSON Web Key (decoded)
{ "kty": "oct",
"use": "sig",
"kid": "orange-1234",
"k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW
THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j
JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs
s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c
wfs",
"alg": "HS256"
}

MadridJUG
Signed OAuth 2.0 Message
Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256",
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h
bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t
L2
9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO
DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY
O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl
xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Length: 46

MadridJUG
OAuth 2 + JWT + Signatures
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
12000 TPS

MadridJUG
https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution
Specification Reference

MadridJUG
Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Identity Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implications
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future

MadridJUG
Practical considerations

MadridJUG
Where to store the JWTs ?
• Local Storage!
• Some people are using cookies for that...
• Encode it's contents with base64URL
• The refresh token must not be sent in all requests… Unless…
• Update the cookie transparently when the Access Token expires
• You can potentially do cookie revocation.

MadridJUG
JWT size
• Max header size issue
• Compress JWT payload

Thank You
Slides & Gateway Sign-up
https://tribestream.io/madridjug-2018/
#RESTSecurity
MadridJUG

2018 Madrid JUG Deconstructing REST Security

Recommended

Recommended

More Related Content

What's hot

What's hot (9)

Similar to 2018 Madrid JUG Deconstructing REST Security

Similar to 2018 Madrid JUG Deconstructing REST Security (20)

Recently uploaded

Recently uploaded (20)

2018 Madrid JUG Deconstructing REST Security