My 2012 homerun in IT-security: For many years nothing happened in Web security - with respect to security-enabling the HTTP stack. This is not true anymore: game-changing innovations do emerge right now. Their impact will - likely - be pervasive. It is important to understand what exactly is being launched, why this is happening and which forces are driving this. This presentation establishes this context and elaborates on the implications.
This presentation digests and analyzes the OAuth versions 1.0 and 2.0.
Doing a deep dive into OAuth I found myself forced into a puzzle with many pieces. This was worthwhile as OAuth is quite cool. For those interested in a quick-start check this slide-deck - I hope it saves others from puzzling.
This document discusses the evolution of service-oriented architectures (SOAs) and how identity management plays a key role. Early SOAs like CORBA and DCOM struggled with security. Web services improved on this with standards like WS-Security and SAML tokens. More recent approaches like OpenID, OAuth, and federated identity management improved user-centric security and access control. Future SOAs may utilize attribute-based access control at large scales across organizations. Overall, the document traces how security for SOAs transitioned from platform-specific to user-centric and interoperable across the Internet.
Kerberos is an authentication protocol that allows nodes communicating over an untrusted network to verify each other's identity. It uses symmetric encryption and a trusted third party called the Key Distribution Center (KDC) to authenticate users and services. The KDC issues credentials called tickets that grant access to trusted services across the network. Kerberos provides single sign-on by generating session keys that allow access to multiple services without re-authenticating. It is built into major operating systems and enables secure authentication over an insecure network like the internet.
This document provides an overview of OAuth 2.0 and how it addresses issues with the previous "password anti-pattern" approach to API authentication. It describes the key actors in OAuth - clients, authorization servers, and resource servers. It also summarizes the different flows for obtaining access tokens, common use cases for OAuth, and how OAuth compares to SAML for SSO and authorization.
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Michael Noel
This document discusses using SharePoint 2010 to collaborate with external partners through an extranet. It covers:
1) The benefits of an extranet for security isolation and partner collaboration.
2) SharePoint 2010's improved support for claims-based authentication and multiple authentication providers to better support extranets.
3) Various architecture options for extranet implementations, including scenarios where extranet and internal users are separated across farms or forests with different levels of access and security isolation.
The document discusses context automation and how it connects information between websites for users. Context automation is enabled by trends like cloud computing, extensible browsers, and internet identities. It can augment websites with additional context through approaches like JavaScript, media toolbars, search tools, and context platforms. Key technologies that help enable context automation include Kynetx, which uses a rule language called KRL, and information cards, which can securely store user identity and data. Context automation provides benefits to users like a more individualized and structured browsing experience with improved privacy and security.
The document discusses several identity and authentication protocols:
- Claims-based identity and federated identity allow authentication from remote trusted entities without a global trust authority. SAML assertions can describe user attributes and be used across domains for single sign-on.
- OAuth 2.0 focuses on authorization, allowing third parties to access APIs on a user's behalf by exchanging an authorization code for an access token without user credentials.
- JSON Web Tokens (JWTs) provide a standard token format that can securely transmit claims like user attributes and be validated without contacting the authorization server.
- OpenID Connect extends OAuth 2.0 by adding an identity token to provide authentication in addition to authorization for single sign-on.
The document discusses authentication and access to online resources from mobile devices within universities. It notes challenges around securely authenticating users and controlling access across different systems and networks. The document proposes a single sign-on model using OpenAthens as an identity provider to authenticate users through their university credentials. This would provide a consistent user experience while giving institutions more control over security and the ability to determine user roles and access levels based on identity attributes. The model aims to streamline access to institutional resources from any device while maintaining security.
This presentation digests and analyzes the OAuth versions 1.0 and 2.0.
Doing a deep dive into OAuth I found myself forced into a puzzle with many pieces. This was worthwhile as OAuth is quite cool. For those interested in a quick-start check this slide-deck - I hope it saves others from puzzling.
This document discusses the evolution of service-oriented architectures (SOAs) and how identity management plays a key role. Early SOAs like CORBA and DCOM struggled with security. Web services improved on this with standards like WS-Security and SAML tokens. More recent approaches like OpenID, OAuth, and federated identity management improved user-centric security and access control. Future SOAs may utilize attribute-based access control at large scales across organizations. Overall, the document traces how security for SOAs transitioned from platform-specific to user-centric and interoperable across the Internet.
Kerberos is an authentication protocol that allows nodes communicating over an untrusted network to verify each other's identity. It uses symmetric encryption and a trusted third party called the Key Distribution Center (KDC) to authenticate users and services. The KDC issues credentials called tickets that grant access to trusted services across the network. Kerberos provides single sign-on by generating session keys that allow access to multiple services without re-authenticating. It is built into major operating systems and enables secure authentication over an insecure network like the internet.
This document provides an overview of OAuth 2.0 and how it addresses issues with the previous "password anti-pattern" approach to API authentication. It describes the key actors in OAuth - clients, authorization servers, and resource servers. It also summarizes the different flows for obtaining access tokens, common use cases for OAuth, and how OAuth compares to SAML for SSO and authorization.
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Michael Noel
This document discusses using SharePoint 2010 to collaborate with external partners through an extranet. It covers:
1) The benefits of an extranet for security isolation and partner collaboration.
2) SharePoint 2010's improved support for claims-based authentication and multiple authentication providers to better support extranets.
3) Various architecture options for extranet implementations, including scenarios where extranet and internal users are separated across farms or forests with different levels of access and security isolation.
The document discusses context automation and how it connects information between websites for users. Context automation is enabled by trends like cloud computing, extensible browsers, and internet identities. It can augment websites with additional context through approaches like JavaScript, media toolbars, search tools, and context platforms. Key technologies that help enable context automation include Kynetx, which uses a rule language called KRL, and information cards, which can securely store user identity and data. Context automation provides benefits to users like a more individualized and structured browsing experience with improved privacy and security.
The document discusses several identity and authentication protocols:
- Claims-based identity and federated identity allow authentication from remote trusted entities without a global trust authority. SAML assertions can describe user attributes and be used across domains for single sign-on.
- OAuth 2.0 focuses on authorization, allowing third parties to access APIs on a user's behalf by exchanging an authorization code for an access token without user credentials.
- JSON Web Tokens (JWTs) provide a standard token format that can securely transmit claims like user attributes and be validated without contacting the authorization server.
- OpenID Connect extends OAuth 2.0 by adding an identity token to provide authentication in addition to authorization for single sign-on.
The document discusses authentication and access to online resources from mobile devices within universities. It notes challenges around securely authenticating users and controlling access across different systems and networks. The document proposes a single sign-on model using OpenAthens as an identity provider to authenticate users through their university credentials. This would provide a consistent user experience while giving institutions more control over security and the ability to determine user roles and access levels based on identity attributes. The model aims to streamline access to institutional resources from any device while maintaining security.
Claim based authentication provides a solution to common problems with user authentication across multiple websites. It allows an identity provider like Google or Facebook to authenticate a user and issue tokens containing claims like user details. Applications can then request specific claims from an identity provider through a selector. The identity provider signs the token and applications can verify the signature to trust the identity provider. This avoids the need for each application to implement its own authentication and allows users to reuse their login from an identity provider on multiple applications.
The document discusses data tokenization for PCI compliance and cloud environments. Tokenization involves replacing sensitive data like primary account numbers (PANs) with surrogate values called tokens. This reduces the scope of PCI compliance and increases security by removing the actual sensitive data from systems. Tokenization options include internal and third-party solutions. Third-party tokenization can ease implementation but limits flexibility, while internal solutions give more control. The document also covers tokenization use cases, implementing tokenization securely, and how tokenization can reduce PCI scope for e-commerce and other applications.
Authentication and Authorization ModelsCSCJournals
The document discusses authentication and authorization models. It proposes a new model that combines PKI and Kerberos to enable authentication between trust domains. The model works as follows:
1) A user in Domain 1 sends a request to the Authentication Server, signed with the user's certificate, requesting a session with the Ticket Granting Server.
2) If authenticated, the Authentication Server issues a ticket to the user.
3) The user then sends a request to the application server in Domain 2, along with the ticket.
This allows mutual authentication between users in different domains that utilize different authentication technologies, by leveraging the strengths of both PKI and Kerberos. The public key infrastructure establishes trust between domains,
This document discusses the differences between assertion-based access tokens and handle-based access tokens in OAuth 2.0. Assertion-based tokens are parsable tokens like JWTs that contain user and client information, while handle-based tokens are opaque references. Assertion-based tokens have advantages for performance and scalability but require cryptographic protection, while handle-based tokens require validation through the authorization server. The document then examines scenarios where handle-based tokens could cause problems, such as with multiple authorization servers, and outlines secure validation steps for assertion-based tokens.
Live Identity Services presentation at Microsoft's MIX09 Conference.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
The document discusses identity, security, and XML web services. It defines identity as who a person is and how they prove it. Identity provides permissions in computing systems as in real life. Standards like SAML and WS-Security encode identity credentials in XML for use in web services. Examples show username tokens, X.509 certificates, and SAML assertions transmitted in SOAP message headers to authenticate callers and pass identity attributes between systems.
The document discusses the technical details of direct trust infrastructure, which is built on public key infrastructure (PKI). PKI uses public and private key cryptography, digital certificates, encryption, and digital signatures to enable authentication, secure messaging, electronic signatures, and data encryption. It describes how certificates bind a public key to identity information and are issued by a certification authority (CA) with the help of a registration authority (RA) that verifies identity documentation.
Web services security standards aim to provide interoperability and trust. Several standards organizations are working on related specifications to provide a security infrastructure for web services. This includes standards for XML signatures and encryption, message-level security with WS-Security, and distributed access control standards like SAML and XACML. Further work is needed to standardize key management, authorization policy, and support direct trust models. Overall progress has been made but full security requires continued standardization efforts.
This presentation provides an overview of the technical considerations that Third Eye made while developing a tool to create, digitally sign and certify Software Identification (SWID) tags.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
This document discusses leveraging SharePoint as an extranet solution. It provides an agenda for the presentation and discusses common challenges addressed by extranets, how SharePoint addresses those challenges, and demonstrating a customer extranet. It also discusses learning how to get started with a SharePoint extranet, including an architectural design session to plan the solution. The presentation aims to help understand extranets and how SharePoint can be used to deploy one.
This document provides an overview of PKI administration using EJBCA and OpenCA certificate authorities. It describes the key concepts of PKIs, including certification authorities, digital certificates, certificate revocation lists, root CAs, subordinate CAs, registration authorities, and end entities. It then analyzes the architecture and administration of EJBCA, an enterprise Java-based CA, including creating the super administrator, configuring data sources, publishing certificates, generating certificate authorities, registration authorities, end entities, and certificate revocation lists.
Enterprise Guest Access is a license option for Juniper Networks MAG Series gateways that provides secure network access for guest users. It authenticates guests, assesses their device health, and controls their access to network resources. It simplifies guest user administration and reduces threats from unauthorized users. As an agentless solution, it works across operating systems and requires no configuration on guest devices.
How to deploy SharePoint 2010 to external users?rlsoft
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
The document discusses implementing a high availability identity federation system on JBoss Application Server (JBossAS). It proposes using JBossAS clustered across nodes for both identity providers and service providers. Key aspects are supporting standards like SAML and Liberty Alliance for identity federation and single sign-on. High availability features like persistence, failover, autodiscovery and security are important to support a distributed system with many users.
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
This document discusses security challenges with modern applications and services and provides an overview of common standards and approaches. It outlines issues with traditional password-based authentication and session management in today's environment of mobile apps, microservices, and client-side applications. The document then introduces token-based security standards like SAML, JWT, OAuth2, and OpenID Connect, explaining how they address these issues through tokenization, delegation, and flexible authentication. It recommends relying on existing solutions like Keycloak that implement these standards to simplify security implementation and avoid potential vulnerabilities.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
A presentation explaining the concepts of public key infrastructure. It covers topics like Public Key Infrastructure (PKI) introduction, Digital Certificate, Trust Services, Digital Signature Certificate, TLS Certificate, Code Signing Certificate, Time Stamping, Email Encryption Certificate
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.
This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.
Claim based authentication provides a solution to common problems with user authentication across multiple websites. It allows an identity provider like Google or Facebook to authenticate a user and issue tokens containing claims like user details. Applications can then request specific claims from an identity provider through a selector. The identity provider signs the token and applications can verify the signature to trust the identity provider. This avoids the need for each application to implement its own authentication and allows users to reuse their login from an identity provider on multiple applications.
The document discusses data tokenization for PCI compliance and cloud environments. Tokenization involves replacing sensitive data like primary account numbers (PANs) with surrogate values called tokens. This reduces the scope of PCI compliance and increases security by removing the actual sensitive data from systems. Tokenization options include internal and third-party solutions. Third-party tokenization can ease implementation but limits flexibility, while internal solutions give more control. The document also covers tokenization use cases, implementing tokenization securely, and how tokenization can reduce PCI scope for e-commerce and other applications.
Authentication and Authorization ModelsCSCJournals
The document discusses authentication and authorization models. It proposes a new model that combines PKI and Kerberos to enable authentication between trust domains. The model works as follows:
1) A user in Domain 1 sends a request to the Authentication Server, signed with the user's certificate, requesting a session with the Ticket Granting Server.
2) If authenticated, the Authentication Server issues a ticket to the user.
3) The user then sends a request to the application server in Domain 2, along with the ticket.
This allows mutual authentication between users in different domains that utilize different authentication technologies, by leveraging the strengths of both PKI and Kerberos. The public key infrastructure establishes trust between domains,
This document discusses the differences between assertion-based access tokens and handle-based access tokens in OAuth 2.0. Assertion-based tokens are parsable tokens like JWTs that contain user and client information, while handle-based tokens are opaque references. Assertion-based tokens have advantages for performance and scalability but require cryptographic protection, while handle-based tokens require validation through the authorization server. The document then examines scenarios where handle-based tokens could cause problems, such as with multiple authorization servers, and outlines secure validation steps for assertion-based tokens.
Live Identity Services presentation at Microsoft's MIX09 Conference.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
The document discusses identity, security, and XML web services. It defines identity as who a person is and how they prove it. Identity provides permissions in computing systems as in real life. Standards like SAML and WS-Security encode identity credentials in XML for use in web services. Examples show username tokens, X.509 certificates, and SAML assertions transmitted in SOAP message headers to authenticate callers and pass identity attributes between systems.
The document discusses the technical details of direct trust infrastructure, which is built on public key infrastructure (PKI). PKI uses public and private key cryptography, digital certificates, encryption, and digital signatures to enable authentication, secure messaging, electronic signatures, and data encryption. It describes how certificates bind a public key to identity information and are issued by a certification authority (CA) with the help of a registration authority (RA) that verifies identity documentation.
Web services security standards aim to provide interoperability and trust. Several standards organizations are working on related specifications to provide a security infrastructure for web services. This includes standards for XML signatures and encryption, message-level security with WS-Security, and distributed access control standards like SAML and XACML. Further work is needed to standardize key management, authorization policy, and support direct trust models. Overall progress has been made but full security requires continued standardization efforts.
This presentation provides an overview of the technical considerations that Third Eye made while developing a tool to create, digitally sign and certify Software Identification (SWID) tags.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
This document discusses leveraging SharePoint as an extranet solution. It provides an agenda for the presentation and discusses common challenges addressed by extranets, how SharePoint addresses those challenges, and demonstrating a customer extranet. It also discusses learning how to get started with a SharePoint extranet, including an architectural design session to plan the solution. The presentation aims to help understand extranets and how SharePoint can be used to deploy one.
This document provides an overview of PKI administration using EJBCA and OpenCA certificate authorities. It describes the key concepts of PKIs, including certification authorities, digital certificates, certificate revocation lists, root CAs, subordinate CAs, registration authorities, and end entities. It then analyzes the architecture and administration of EJBCA, an enterprise Java-based CA, including creating the super administrator, configuring data sources, publishing certificates, generating certificate authorities, registration authorities, end entities, and certificate revocation lists.
Enterprise Guest Access is a license option for Juniper Networks MAG Series gateways that provides secure network access for guest users. It authenticates guests, assesses their device health, and controls their access to network resources. It simplifies guest user administration and reduces threats from unauthorized users. As an agentless solution, it works across operating systems and requires no configuration on guest devices.
How to deploy SharePoint 2010 to external users?rlsoft
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
The document discusses implementing a high availability identity federation system on JBoss Application Server (JBossAS). It proposes using JBossAS clustered across nodes for both identity providers and service providers. Key aspects are supporting standards like SAML and Liberty Alliance for identity federation and single sign-on. High availability features like persistence, failover, autodiscovery and security are important to support a distributed system with many users.
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
This document discusses security challenges with modern applications and services and provides an overview of common standards and approaches. It outlines issues with traditional password-based authentication and session management in today's environment of mobile apps, microservices, and client-side applications. The document then introduces token-based security standards like SAML, JWT, OAuth2, and OpenID Connect, explaining how they address these issues through tokenization, delegation, and flexible authentication. It recommends relying on existing solutions like Keycloak that implement these standards to simplify security implementation and avoid potential vulnerabilities.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
A presentation explaining the concepts of public key infrastructure. It covers topics like Public Key Infrastructure (PKI) introduction, Digital Certificate, Trust Services, Digital Signature Certificate, TLS Certificate, Code Signing Certificate, Time Stamping, Email Encryption Certificate
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.
This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.
The document discusses implementing public key infrastructures (PKIs). It introduces PKI concepts like public key cryptography, certificates, and the roles of registration authorities and certification authorities. It explores PKI design considerations like interfacing with applications, smart cards, and identity management systems. It also discusses lessons learned from past PKI deployments and factors to consider when deploying a PKI, such as whether to build an in-house PKI or outsource services.
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Why Assertion-based Access Token is preferred to a Handle-based one?
Yoshiyuki Tabata, Software Engineer at Hitachi
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
This document provides an overview and summary of Amazon Cognito. It discusses how Cognito can be used to authenticate users, manage user identities, and synchronize user data across devices. It also describes Cognito's features for user sign-up, sign-in, verification, authentication, authorization and managing user profiles. Several sample use cases are presented, such as using Cognito for user management, social login, and employee single sign-on. The document concludes with information on getting started with Cognito.
Claims-based identity refers to establishing a user's identity outside of an application and injecting identity information into the application in a secure manner. It allows applications to obtain authenticated user information programmatically or declaratively. While it improves the user experience and development process, claims-based identity does not solve all identity and access management use cases and some platforms require more custom work to implement it.
Identity 2.0 and User-Centric IdentityOliver Pfaff
This document discusses identity management concepts including Identity 2.0, user-centric identity, and how these apply to web services. It provides an overview and comparison of OpenID and Windows CardSpace as examples of user-centric identity solutions. It also summarizes an eFA project for federating access to medical records across health providers in Germany.
This document provides an overview of authentication mechanisms on Windows, including Kerberos, Active Directory, digital certificates, biometrics, and .NET identity objects. It also discusses upcoming technologies like CardSpace and OpenID that aim to improve single sign-on authentication across multiple systems and online applications. The document concludes that with the evolution of open standards, the goal of a trustworthy single sign-on experience across the web is becoming closer to reality.
The document summarizes the Open Authentication initiative (OATH), which aims to drive adoption of open strong authentication standards. OATH has created standardized authentication algorithms like HOTP and works with members to promote interoperability. Its reference architecture provides guidance for integrating strong authentication into applications while balancing security, usability and choice. OATH also works on credential provisioning standards and certification programs to further authentication adoption.
HAD05: Collaborating with Extranet Partners on SharePoint 2010Michael Noel
This document discusses collaborating with extranet partners on SharePoint 2010. It begins by covering why organizations implement extranets and the authentication options in SharePoint 2010. It then presents six sample extranet architecture scenarios with varying levels of security isolation between internal and external users. The document also discusses claims-based authentication, the Forefront Unified Access Gateway for external access, and using Forefront Identity Manager for identity management in an extranet.
The document summarizes security best practices presented in a tech talk at Stanford ACM. It discusses TrialPay's service overview, basics of securing data and systems, implementing two-factor authentication for VPN and SSH access, and best practices for securing credit card data in a vault. The presentation covers password security, encrypting sensitive data, access controls, backups, and other techniques for protecting online systems and user information.
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
Ed Lima, a Solutions Architect at AWS, discusses adding user sign-in, user management, and security to mobile and web applications using Amazon Cognito. The presentation covers Amazon Cognito Identity for user authentication and authorization, Cognito User Pools for user management, and how applications can integrate with Cognito. It also demonstrates how Cognito can federate with identity providers and provides sample use cases for business to consumer, business to business, and IoT applications.
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
The ForgeRock Identity Platform and Edge security solution can turn any IoT device into a secure, trusted active subject enrolled and on-boarded from a hardware based root of trust to become an autonomous entity in your business relationship eco system represented by a digital twin.
1) The document discusses various methods for securing RESTful APIs, including choosing the right security protocol, understanding authentication vs authorization, and exploring specific protocols like basic authentication, JSON web tokens, OAuth1.0a, and OAuth2.
2) It provides details on each protocol, including how they work, benefits, structures like the JWT header and payload, and code examples for implementation flows.
3) The key takeaways are to never use basic authentication without TLS, favor HMAC algorithms over bearer tokens, and use OAuth1.0a or OAuth2 (preferably MAC) for authentication, as OAuth is an authorization protocol rather than authentication standard.
The document discusses integrated lifecycle management of smart cards, USB tokens, and user credentials through a card and credential management system (CMS). It provides an overview of the OpenTrust SCM, highlighting its key benefits like enabling two-factor authentication, securely storing multiple user secrets, and establishing trusted digital identities. It also outlines requirements for an enterprise CMS, the OpenTrust architecture and ecosystem, sample use cases, and its project methodology.
This document discusses authentication strategies for native mobile applications. It recommends using OAuth 2.0 with an authorization code grant to obtain access tokens securely without embedding credentials in the app. The key steps are: 1) opening a browser to request authorization; 2) handling the callback to exchange the authorization code for an access token; and 3) using the token to access APIs securely on behalf of the user. Authentication can leverage single sign-on or stored user identities.
Authentication and strong authentication for Web ApplicationSylvain Maret
Sylvain Maret is a digital security expert who gave a presentation on strong authentication in web applications. He discussed threats to authentication like keyloggers and social engineering. New standards like FFIEC and PCI DSS require strong authentication for financial applications and remote access. Strong authentication can use biometrics or one-time passwords. Standards like SAML and OpenID allow for identity federation where users can authenticate with an identity provider and access multiple applications.
This document discusses trends in security for the Industrial Internet-of-Things (IIoT) and Operational Technologies (OT). It begins with an introduction and overview of considered systems and security objectives. The document then examines the characteristics and current security status of IIoT and OT separately. For IIoT, it identifies needs for automated credential bootstrapping and highlights approaches being developed. For OT, it analyzes similarities and differences compared to IT security. The presentation concludes with a wrap-up of key takeaways and an outlook on this topic.
This document provides an overview of a lecture on security for the Web of Things. It discusses security building blocks including cryptographic primitives like encryption and signing, cryptographic objects that contain encrypted data and metadata, security tokens that make assessments about system actors, and security protocols for exchanging cryptographic objects. It emphasizes that while these techniques help secure distributed systems like the Web, cryptographic keys must also be carefully managed for security. The document provides background on distributed systems security and the dependencies between different security disciplines.
This document provides an overview of OAuth and discusses its use for authorizing third-party access to individually owned web resources. OAuth defines a protocol that allows resource owners to delegate access rights to third parties in a limited, discretionary manner. It addresses the key use case of allowing applications to access user resources, such as contacts or calendar entries, while respecting the user's ownership of those resources. The document covers OAuth concepts like authorization grants, protocol endpoints, and resource request authentication, as well as extensions and adoption examples.
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
OpenID Connect is a specification that defines an identity layer on top of the OAuth 2.0 authorization framework. It allows clients to verify user identity and obtain basic profile information about the user. OpenID Connect supports common identity use cases like single sign-on and identity federation through the use of ID tokens and user info endpoints. While it is not a complete replacement for SAML, OpenID Connect provides a simpler approach that is better suited for mobile and REST-based applications compared to the XML-based SAML standard.
My 2012 Groundhog Day - needed much bandwidth over the past weeks to discuss the same topic with various folks: how do identity and access management and RESTful Web services relate? This slide deck aims at taking this question from its root.
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
The document discusses trust services that are fundamental for digital business transactions, including authentication, authorization, and non-repudiation. It notes that traditional authentication techniques do not meet the requirements of digital business and outlines cryptographic protocols like digital signatures that can provide persistent authentication of electronic documents and identities. However, it states that non-repudiation requires additional legal and policy frameworks beyond authentication alone. The document also examines authorization services and their implementation in web environments.
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
The document discusses security technologies for the Wireless Application Protocol (WAP), including:
- WAP 1.0 and 2.0 protocol stacks and their use of WTLS and TLS for secure communication
- WTLS limitations and enhancements like WPKI, WAPCert, and TLS over HTTP in WAP 2.0
- Information security technologies like WMLScript Crypto and the Wireless Identity Module (WIM) for digital signatures and credential storage
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
- Java WSIT provides support for WS-* specifications and can be used to create Java-based web services and clients that are interoperable with Microsoft WCF. It supports features like reliable messaging, security, and atomic transactions.
- Windows CardSpace is a Microsoft application that helps users manage digital identities and select information cards for authentication. It aims to improve user control over personal information sharing and identity federation.
- The authors used Java WSIT to create a Security Token Service that supports Windows CardSpace, addressing challenges around user authentication across and within domains and how to represent information cards as credentials.
State-of-the-Art in Web Services FederationOliver Pfaff
With respect to the enablement of federated identity, Web services have advantages over traditional Web applications because Web services technologies natively support the externalization of subject authentication in a standard way. This is facilitated through dedicated security services provided by the infrastructure (WS-Trust STSs). However, when it comes to advanced identity federation use cases demanding more sophisticated federation features, Web services also suffer from a scattered technology landscape not easily accessible for non-experts. This landscape at least comprises WS-Federation, Liberty-Alliance ID-WSF, OASIS WSFED. This contribution investigates these Web services federation technologies. It uses a health- care use case that demands sophisticated features in identity federation to pinpoint their capabilities. Moreover, it considers the identity federation enablement features of common Web services stacks e.g. Apache Axis, Microsoft WCF and Sun Metro. This aims at providing a compass for those who are charged with architecting, designing and building identity federation solutions in Web services environments: Which technologies are out there? What are they good for? How are they supported in Web services stack?
Unified Security Architectures for Web and WAPOliver Pfaff
The document discusses the feasibility of unified security architectures for web and WAP-based services. It analyzes application and infrastructure aspects, finding that transport-bound security, information-bound security, and security tokens can be integrated. With advances in WAP 2.0, web and WAP security may be largely unified at the application level, while infrastructure-level requirements like WPKI can be accommodated at the network border. This allows businesses to avoid investing in separate security infrastructures for web and WAP services.
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
Presence- und Instant-Messaging-Programme wie AOL Instant Messenger sowie ICQ, Microsoft Messenger und Yahoo Messenger erfreuen sich einer stark steigenden Nutzung – insbesondere auch am Arbeitsplatz. Deren Nutzung führt jedoch zu erheblichen Bedro-hungsszenarien für die Unternehmenssicherheit. Richtig eingesetzt können IT-basierte Echt-zeitkommunikationssysteme jedoch signifikante Effizienzpotenziale für Unternehmen er-schließen.
Daher ist die Realisierung geeigneter Lösungsarchitekturen von zentraler Bedeutung bei der Einführung von IT-basierten Echtzeitkommunikationsdiensten in Unternehmensnetzen. Die-ser Vortrag erörtert die gegebenen Bedrohungen, untersucht Gegenmaßnahmen und skiz-ziert Architekturen für die sichere Nutzung solcher Dienste.
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
Buzzwords such as Identity 2.0, Web services and SOA characterize the architectures of novel IT-systems. Concerning these recent trends, the stake holders of eHealth systems might ask a number of questions including:
• Users: does that help us in providing a better care?
• Owners: how does it change the suite of applications and services we provide?
• Suppliers: what is the footprint on our software architecture?
This presentation will discuss the relevance of Identity 2.0, Web services and SOA for IT-systems in health-care. It will identify and assess the value that can be added through ideas and technologies behind these trends. Regarding the fundamental concept of identity, architectural blueprints for Web services and SOA-based eHealth systems will also be investigated.
This presentation examines architectural patterns for SOA security according the externalization of the cross-cutting concerns of authorization and authentication as well as the integration of identity federation. Conceptual building blocks for SOA security are sketched and assessed with respect to classical security means. Web services-based SOA systems are considered in particular. The analysis considers the native security functionality of common Web service stacks (e.g. Apache Axis, Microsoft WCF, Sun JAX-WS RI/WSIT).
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. A Journey through Time – 2000 to 2012
Authentication
Authorization IAM (Identity and
IT-security Access Management)
Federation
▶ Enterprise camp: identities/resources
Has use cases owned by legal entities
driving current
innovation ▶ Internet camp: identities/resources
owned by individual users
May 2012 2
3. Security-Enabling the HTTP Stack -
Until 2010
Protocol stack Security fabric
No help - does match
target environment
WS-*/ Security
WS- infrastructure
Security
HTTP
body
HTTP Security Security
header protocols syntax
SSL/TLS
Security token
TCP Helps - but does not
cover given use cases
IP Meta-information Cryptographic
algorithms
May 2012 3
4. Driving Forces
▶ Constrained clients:
Smart phones/tablets accessing via mobile networks
Promote native clients: talk HTTP, serve single users – but are no
classical Web browsers
▶ API economy:
Content aggregation via mash-ups/composite applications, Web APIs
exposing lightweight interfaces, RESTful Web services – no WS-*
Promote application clients: talk HTTP, serve multiple users
▶ Cloud:
Procure IT from the network: applications (SaaS), software (PaaS) or
hardware infrastructure (IaaS)
For many organizations "owning iron" is a snail’s pace approach. Holds
for the server side (XaaS) and the client side (BYOD)
▶ Disillusion:
Some things did not fly such as PKI to the end-user:
• Not handy: people do not understand PKI – even IT pro’s struggle
• Compromises: Comodo/DigiNotar/StartTLS CAs, DuQu, Stuxnet
• Ramifications of lemon markets (Nobel prize-awarded theory) apply
May 2012 4
5. …Their Constraints/Needs/Use Cases
▶ Constrained clients:
Interactions: server-side, no client-side redirections
Compact representations: new formats for security objects, no WS-*
▶ API economy:
Authenticate API clients: new authentication schemes for HTTP
3-party scenarios
Manage access to personal resources: new authorization protocols
Move identity data (for self): on-boarding of individual users
▶ Cloud:
Externalize user authentication: provide seamless access (i.e. SSO)
Manage identity data (for any): user on-boarding in bulk-style
Manage authorization: govern access control for subscriber resources
▶ Disillusion:
Alternate entity authentication schemes: stronger than username/static
password, less awkward than public key certificate and private key
Supply meta-information: express to relying parties how authentication
and identity creation was done
May 2012 5
6. Use Cases Requiring 3-Party Exchanges
▶ Manage access to personal resources
Prerequisites: user and asserting/relying party authentication
▶ Move identity data (for self)
Prerequisites: user and asserting/relying party authentication
▶ Externalize user authentication
Prerequisite: user and asserting party authentication
Personal
App resources
Identity
HTTP
data
UI SSL/ User
App TLS authentication
HTTP TCP/
SSL/ HTTP IP
TLS Asserting party
TCP/ SSL/
IP TLS
TCP/
User agent
IP
Relying party
May 2012 6
7. 3-Party Exchange Pattern –
Functional Requirements
User ▶ Facilitate 3-party overlay:
Authn agent User agent to asserting party - security
with Provide endpoint:
creds grant
• Entitle relying party after
authenticating
• UI-style: entitlement dialogue with
arbitrary Web user authentication
Asserting Relying party to asserting party -
party security endpoint:
Entitle- Security Resource • Obtain security token after
ment endpoint endpoint authenticating
• API-style: new protocols with
Provide arbitrary Web client authentication
token Authn Relying party to asserting party –
with resource endpoint:
token • Obtain resource access after
authenticating
Authn
with • API-style: new authentication
creds Relying protocols (token-based)
party
May 2012 7
8. 3-Party Exchange Pattern –
Non-Functional Requirements
▶ 3-party exchanges between relying and
asserting parties – via user agents esp.
3-party exchanges: constrained clients:
Sub- HTTP Use HTTP 3xx redirects
HTTP
Employ URL query parameters for
Hdr. Body exchange of security token acquisition
N.a.
objects and their responses
▶ Subsequent 2-party exchanges between
URL N.a.
relying and asserting parties:
query
Use HTTP Authorization headers for
authentication purposes based on
security tokens
2-party exchanges: ▶ URL query parameters as well as HTTP
Sub- HTTP Authorization headers are space-
HTTP constrained:
Hdr. Body
Objects to acquire and utilize security
SSL/ tokens must match these constraints
TLS Note: SAML assertion/protocol syntax
Authn Var. objects are suspect of violating them
header
May 2012 8
9. Identifying the New Entrants
▶ Constrained clients:
Interactions: N.a.
Compact representations: JWA, JWE, JWK, JWS (IETF jose WG) and JWT (IETF
individual submission)
▶ API economy:
Authenticate API clients: HTTP Bearer and MAC authentication (IETF oauth WG)
Manage access to personal resources: OAuth (IETF oauth WG), UMA (Kantara)
Move identity data (for self): OpenID Connect (OpenID)
▶ Cloud:
Externalize user authentication: OpenID Connect (OpenID)
Manage identity data (for any): SCIM (IETF WG candidate)
Manage authorization: XACML 3.0 administration and delegation profile (OASIS)
▶ Disillusion:
Alternate authentication schemes: TOTP (RFC 6238), HOTP (RFC 4226),
callbacks (custom)
Supply meta-information: assurance levels (NIST SP800-63, ITU-T X.1254 |
ISO/IEC 29115, Kantara IAF)
May 2012 9
11. Security Fabric for the HTTP Stack –
From ca. 2012
Provides request
authn
JWS
IETF Draft
HTTP request
authn
IETF Draft
Provides entity JWE
IETF Draft
authentication
Provides service for managing Provides
token
Security token authn
Security token
service <Abstract>
<Abstract>
Provides token
Instantiates Instantiates
encryption
OAuth authz JWT
UMA
Promotes server IETF individual
Kantara IETF Draft submission
Draft Includes
OpenID
OAuth
Connect Extends
IETF Draft
OpenID
Draft
May 2012 11
12. Security Fabric for the SOAP Stack –
From ca. 2007 (for reference purposes)
Provides msg
Allows publishing of authn XML Signature
W3C standard
SOAP Message Provides msg
WS-Policy WS-SecurityPolicy Security encryption
W3C OASIS standard OASIS standard
standard (WS-SX TC) (WSS TC)
Defines Allows profiling of
Provides entity XML Encryption
security for W3C standard
authentication
STSs
Provides service for managing Provides
token
Security token authn
Security token
service <Abstract>
<Abstract>
Provides token
Instantiates
Instantiates encryption
SAML assertion
WS-Trust
OASIS standard
OASIS standard
(SAML TC)
(WS-SX TC)
Extends
WSFED
OASIS committee
specification
May 2012 12
13. Security-Enabling the HTTP Stack -
From ca. 2012
Protocol stack Security fabric
Security
infrastructure
HTTP
body
HTTP Security Security
header protocols syntax
SSL/TLS
Security token
TCP
Meta-information Cryptographic
IP
algorithms
May 2012 13
15. Conclusions
▶ It is amazing what is happening right now – security-wise as well as IAM-wise
▶ The current innovation is triggered by use cases from the Internet IAM camp. In
particular, it addresses needs related to Web 2.0 as well as social networks
▶ This does not imply that the emerging mechanisms are limited to these domains:
– Other industries have matching use cases e.g. user-managed access to
medical data to-be-shared among healthcare providers (ECRs – Electronic
Case Records)
– Their resolution delivers security mechanisms that can be (re-)used in other
use cases
– Security functionality for 3-party Web exchanges presents a main focus. Such
3-party exchanges also apply in other industries – probably with some other
details but likely requiring similar patterns and approaches.
▶ The evolution of specifications, implementation of toolkits (many open source)
and supply of services on the Internet happens in parallel
▶ This innovation in Web security is still ongoing and not yet concluded
May 2012 15
16. Abbreviations
AJAX Asynchronous JavaScript And XML
API Application Programming Interface
AWS Amazon Web Services
BYOD Bring Your Own Device
CA Certification Authority
CMS Cryptographic Message Syntax
ECC Elliptic Curve Cryptography
HMAC Hash-based Message Authentication Code
HOTP HMAC-based OTP
HTML HyperText Markup Language
HTTP HyperText Transfer Protocol
IaaS Infrastructure as a Service
IAF Identity Assurance Framework
IAM Identity and Access Management
JOSE JavaScript Object Signing and Encryption
JSON JavaScript Object Notation
JWA/E/K/S/T JSON Web Algorithms/Encryption/Key/Signature/Token
LoA Level of Assurance
OATH Open Authentication
OAuth Open Authorization
May 2012 16
17. Abbreviations (cont’d)
OIDC OpenID Connect
OTP OneTime Password
PaaS Platform as a Service
PKCS Public-Key Cryptography Standards
PKI Public Key Infrastructure
PoP Proof-of-Possession
REST REpresentational State Transfer
SaaS Software as a Service
SAML Security Assertion Markup Language
SCIM Simple Cloud Identity Management
SOAP Simple Object Access Protocol
SSL Secure Sockets Layer
STS Security Token Service
TLS Transport Layer Security
TOTP Time-based OTP
UMA User-Managed Access
URL Uniform Resource Locator
WS Web Services
XaaS Any X offered ’as-a-Service’
XML eXtensible Markup Language
May 2012 17
18. Background
▶ Fielding, R.: Architectural Styles and the Design of Network-based Software
Architectures. PhD Thesis. University of California, Irvine, 2000.
▶ Gutmann, P.: PKI: Lemon Markets and Lemonade. RSA Security Conference 2011.
▶ Jones, M.: The Emerging JSON-Based Identity Protocol Suite. W3C Workshop on
Identity in the Browser, 2011.
▶ Machulak, M.P. et al.: User-Managed Access to Web Resources. Proceedings of the
6th ACM Workshop on Digital Identity Management, 2010.
▶ Mash-up directory: http://www.programmableweb.com/mashups/directory
▶ Pautasso, C.; Zimmermann, O.; Leymann, F.: RESTful Web Services vs. “Big” Web
Services: Making the Right Architectural Decision. Proc. of the 17th International
World Wide Web Conference, Bejing, 2008.
▶ Prins, J.R.: DigiNotar Certificate Authority breach “Operation Black Tulip”. Interim
Report: Investigation DigiNotar Certificate Authority Environment, 2011.
▶ Rabin, J.; McCathieNevile, C. (eds.): Mobile Web Best Practices 1.0. W3C
Recommendation 2008.
▶ Rutkowski, M. (ed.): Identity in the Cloud Use Cases Version 1.0. OASIS
Committee Note, 2012.
▶ Web API directory: http://www.programmableweb.com/apis/directory
▶ Yegge, S.: Stevey's Google Platforms Rant. 2011
May 2012 18
20. Web Application Styles
Traditional AJAX-aware Mobile Mash-up
Web browser Web browser Native client Application client
UI UI UI HTTP server
JavaScript HTML or
HTML HTML JSON,XML JSON,XML
HTTP client AJAX engine HTTP client Business logic
Request JSON,XML
Request JSON,XML
HTTP client HTTP client
Request Request
Response Response Response Response
(HTML) (JSON, XML) (JSON, XML) (JSON, XML)
HTTP server HTTP server HTTP server HTTP server
Web server Web server Web server Web server
UI-style IO API-style IO
May 2012 20
21. Characterizing Client-Side Components
▶ Web browsers:
– HTTP client with address bar, serves resources of arbitrary services
– HTML as primary media type (UI-style)
– Client-side scripting support
– Serves #1 simultaneous user
– Examples: Google Chrome, Microsoft Internet Explorer, Mozilla Firefox
▶ Native clients:
– HTTP client without address bar, serves resources of a specific service
– HTML (UI-style) or JSON/XML as primary media type (API-style)
– Serves #1 simultaneous user
– Example: Android/iPhone Web apps
▶ Application clients:
– HTTP client and server
– JSON/XML as primary media type towards downstream application (API-style)
– Provides own application/business functionality (i.e. not only a HTTP proxy)
– Serves #n simultaneous users
– Example: Amazon & eBay comparison shopping
May 2012 21
22. Security Fabric for the HTTP Stack –
Until 2010
▶ Security fabric is broadly absent in the actual HTTP layer:
– HTTP Basic authentication: username/password-based authentication
• Transfers credentials in plain (to be precise: Base64 encoded)
• Unpopular: HTML form-based authentication is preferred
– HTTP Digest authentication: shared secret key-based authentication
• Not used in practice
– Custom HTTP authentication methods: Kerberos/NTLM-based authentication
• Used for integrated Windows authentication
– HTTP session state mechanisms:
• No actual security mechanism but a factor in the security fingerprint
▶ Security fabric is present:
– Underneath the HTTP layer: SSL/TLS
– Above the HTTP layer: WS-Security
▶ Caveats:
– Underneath the HTTP layer: hard to support complex use cases
– Above the HTTP layer: adds significant infrastructural burden
May 2012 22
23. 4-Party Security Protocols –
User-Managed Access - UMA
▶ UMA refines OAuth 2.0:
– Allows users to manage access to individual resources, residing on any number
of OAuth resource servers, through a single OAuth authorization server
– Extends OAuth by formalizing interactions between OAuth resource and
authorization servers (underspecified in OAuth)
– Promotes OAuth authorization servers to independent network services – hence
turns the 3-party protocol OAuth into a 4-party protocol
– Extends the OAuth notion of scope and hence enhances the granularity of
access control
– More information: Comparing OAuth and UMA, UMA Frequently Asked Questions
▶ The specifications are developed by a Kantara working group:
– User-Managed Access (UMA) Core Protocol (Draft 2012 also published as IETF
Draft - individual submission)
– UMA Trust Model (Draft 2012)
– UMA Scenarios and Use Cases (Draft 2010)
– UMA User Stories (Draft 2010)
▶ Familiar to: -
May 2012 23
24. 3-Party Security Protocols –
OpenID Connect
▶ OpenID Connect defines an identity layer on top of OAuth 2.0:
– Exploits and extends OAuth for a specific kind of resources: data specific to user
authentication and user identity (e.g. data persisted in user accounts)
– Turns a solution for the delegation use case in access management into an
approach for the federation use case in identity management
▶ The specifications are developed by the OpenID community:
– Basic Client Profile (Draft 2012)
– Discovery (Draft 2012)
– Dynamic Registration (Draft 2012)
– Standard (Draft 2012)
– Messages (Draft 2012)
– Session Management (Draft 2012)
▶ Familiar to: SAML, WS-Federation (passive profile), OpenID (note: it’s relation to
the original OpenID protocol is loose)
▶ More information: OpenID Connect - An Emperor Or Just New Cloths?
May 2012 24
25. 3-Party Security Protocols –
OpenID Connect Exchange Pattern
2. Authn with user credentials, User 1. Redirect user agent to
delegate access to identity data agent OAuth authz endpoint,
provide oidc:Request
object
4. Redirect user agent to
relying party with
oauth:Grant
Asserting
party
Security UserInfo
3. Store entitlement
endpoint endpoint
6. Respond with 9. Respond with user info
oauth:AccessToken,
oidc:IdToken
5. Authn with client 8. Authn with
credentials, supply oauth:AccessToken,
oauth:Grant, request request user info
oauth:AccessToken,
oidc:IdToken
Relying
7. Consume oidc:IdToken party 10. Process user info
May 2012 25
26. 3-Party Security Protocols –
OAuth
▶ OAuth allows resource owners to delegate resource access rights to third-party
consumers (such as composite applications in a mash-up) in a discretionary
fashion with a limited scope (functionality, time).
▶ The specifications are developed by the IETF oauth working group:
– The OAuth 2.0 Authorization Framework (Draft 2012)
– The OAuth 1.0 Protocol (RFC 5849, 2010)
▶ Familiar to: -
▶ More information: Analyzing OAuth
May 2012 26
27. 3-Party Security Protocols –
OAuth Exchange Pattern
2. Authn with user credentials, User 1. Redirect user agent to
delegate access to resource agent OAuth authz endpoint
4. Redirect user agent to
relying party with
oauth:Grant
Asserting
party
Security Resource
3. Store entitlement
endpoint endpoint
6. Respond with 8. Respond with resource
oauth:AccessToken
5. Authn with client 7. Authn with
credentials, supply oauth:AccessToken,
oauth:Grant, request request resource
oauth:AccessToken
Relying
party 9. Process resource
May 2012 27
28. 2-Party Security Protocols –
HTTP Bearer Authentication
▶ OAuth-defined mechanism extending the HTTP access authentication framework
(RFC 2616) – may be used independent of OAuth:
– WWW-Authenticate response header: specifies the authentication method
(Bearer) and allows to specify realm and scope parameters
– Authorization request header: transfers a bearer token in Base64 encoding
▶ Bearer tokens:
– Any party in possession of the token can use it to get access to the associated
resources - without demonstrating possession of a cryptographic key
– Supported form-factors:
• SAML Assertion objects (self-contained security token)
• JSON Web tokens (self-contained security token)
▶ The specifications are developed by the IETF oauth working group:
– The OAuth 2.0 Authorization Protocol: Bearer Tokens (Draft 2012)
– SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 (Draft 2012)
– JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 (Draft 2012)
▶ Familiar to: -
May 2012 28
29. 2-Party Security Protocols –
HTTP MAC Authentication
▶ OAuth-defined mechanism extending the HTTP access authentication framework
(RFC 2616) – may be used independent of OAuth:
– WWW-Authenticate response header: specifies the authentication method
(MAC)
– Authorization request header: transfers a symmetric cryptographic
checksum over portions of the HTTP request
▶ MAC tokens:
– Any party using the token needs to demonstrate possession of a
cryptographic key. Keying associations are established out-of-band or employ
OAuth access tokens.
– Supported form-factor: identifier token
▶ The specification is developed by the IETF oauth working group:
– HTTP Authentication: MAC Access Authentication (Draft 2012)
▶ Familiar to:
HTTP Digest authentication (RFC 2617, does require a user password)
HTTP OAuth authentication (RFC 5849, a predecessor)
HTTP AWS authentication (AWS proprietary)
May 2012 29
30. 2-Party Security Protocols –
OTP Authentication
▶ HOTP, TOTP and OCRA define the exchanges between claimants and verifiers in
order to establish shared secret key-based entity authentication - without binding
the exchanges to an actual transfer protocol (typical implementations use HTTP
through HTML forms):
– HOTP: event-based OTPs
– TOTP: time-based OTPs
– OCRA: challenge/response-based OTPs
▶ PSKC and DSKPP define means to establish and manage the underlying keying
associations.
▶ The specifications are developed by the OATH community and brought into IETF:
– HOTP: An HMAC-Based OTP Algorithm (RFC 4226, 2005)
– TOTP - Time-based One-time Password Algorithm (RFC 6238, 2011)
– OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287, 2011)
– PSKC - Portable Symmetric Key Container (RFC 6030, 2010)
– DSKPP - Dynamic Symmetric Key Provisioning Protocol (RFC 6063, 2010)
▶ Familiar to: RFC 2289, vendor-proprietary solutions
May 2012 30
31. Security Infrastructure –
OAuth Authorization Server
▶ To decouple resource server tasks from OAuth-tasks, OAuth 2.0 introduces the
authorization server as a distinguished entity with following endpoints:
– Authorization endpoint: entitle 3rd-party clients, resource owner-facing
– Token endpoint: acquire access tokens (initial, refresh), relying party-facing
▶ OpenID Connect extends the OAuth authorization server abstraction by adding:
– UserInfo endpoint: query identity data, relying party-facing
– CheckID endpoint: query and validate ID token objects, relying party-facing
– Refresh session endpoint: refresh ID token objects, relying party-facing
– End session endpoint: terminate sessions at IdPs, relying party-facing
▶ By extension (further token types, use cases, explicit system interfaces and
network protocol), it may evolve towards a security infrastructure service:
– It supports the underlying use cases (delegation use case in access
management, federation use case in identity management)
– But is not limited to them and presents a security infrastructure service nucleus
– Kantara UMA is already going this direction
▶ The specifications are developed by the IETF oauth working group:
– The OAuth 2.0 Authorization Framework (Draft 2012)
▶ Familiar to: WS-Trust STS
May 2012 31
32. Security Token –
JSON Web Token - JWT
▶ JWT defines self-contained security tokens for space-constrained environments:
– Uses JSON data structures (RFC 4627) to represent identity-related information
about a subject for transfer from an asserting to a relying party.
– Embody (name, value)-pairs – called claims - to express identity-related data:
• Claim names:
o Define some reserved claim names e.g. exp (expiration time)
Support IANA-registered public claim names
o
o Allow private claim names
• Claim values: JSON-defined data types esp. literal (string, number, Boolean)
or complex (object, array) types
– JWT may be signed (JSON Web Signature) and/or encrypted (JSON Web
Encryption)
– JWT supports the bearer model but does not yet support PoP
▶ The specification is currently provided as individual submission to the IETF jose
working group:
– JSON Web Token (JWT) (Draft 2012)
▶ Familiar to: SAML Assertion
May 2012 32
33. Meta-Information Syntax –
Level of Assurance - LoA
▶ Level of assurance specifications allow asserting parties to express how
authentication and identity creation was done:
– They establish mutually understood levels along with applicable criteria:
• LoA-1: Little or no confidence in the asserted identity e.g. self-asserted
identity from OpenId IdP
• LoA-2: Some confidence in the asserted identity e.g. third-party asserted
identity from SAML IdP (bearer token, single factor initial authentication)
• LoA-3: High confidence in the asserted identity e.g. third-party asserted
identity from SAML IdP (bearer token, multi-factor initial authentication)
• LoA-4: Very high confidence in the asserted identity e.g. third-party asserted
identity from SAML IdP (PoP token, multi-factor initial authentication)
– The qualification encompasses enrolment, credential management, and entity
authentication phases
▶ Specifications are developed by NIST, ITU-T | ISO/IEC, and Kantara:
– NIST SP800-63 Electronic Authentication Guideline (2006)
– ITU-T X.1254 | ISO/IEC 29115 – Entity authentication assurance framework
(Draft 2012)
– Kantara Identity Assurance Framework (2010)
▶ Familiar to: -
May 2012 33
34. Security Syntax –
JSON Web Signature - JWS
▶ JSON Web Signature defines a compact digital signature format addressing
space-constrained environments:
– Uses JSON data structures to represent signed data of arbitrary type along
with validation meta-data
– Per JWS object, a single data object can be signed
– Supports the enveloping of signed data (JWS object wraps signed data) but
does not yet support enveloped and detached signed data
– Allows to refer to validation keys by-reference (JSON Web Key URL, X.509
certificate path URL, identifier, thumbprint) or by-value (JSON Web Key
object, X.509 certificate path)
– Supports symmetric as well as asymmetric checksums e.g.
• HMAC-SHA256
• RSA-SHA256
• ECDSA-SHA-256 (NIST P-256)
▶ The specification is developed by the IETF jose working group:
– JSON Web Signature (JWS) (Draft 2012)
▶ Familiar to: XML Signature, PKCS#7/CMS
May 2012 34
35. Security Syntax –
JSON Web Key - JWK
▶ JSON Web Key defines a compact public key representation format addressing
space-constrained environments:
Uses JSON data structures to represent public keys (in plain form, not in form
of public key certificates)
▶ The specification is developed by the IETF jose working group:
– JSON Web Key (JWK) (Draft 2012)
▶ Familiar to: XML Signature (ds:KeyInfo portion)
May 2012 35
36. Security Syntax –
JSON Web Encryption - JWE
▶ JSON Web Encryption defines a compact encryption format addressing space-
constrained environments:
– Uses JSON data structures to represent encrypted data of arbitrary type along
with decryption meta-data
– Allows to refer to decryption keys by-reference (JSON Web Key URL, X.509
certificate path URL, identifier, thumbprint) or by-value (JSON Web Key object,
X.509 certificate path)
– Encrypts payload through an indirection (content/key encryption)
– Can also integrate HMAC-based message authentication (first-encrypt-then-
sign)
▶ The specification is developed by the IETF jose working group:
– JSON Web Encryption (JWE) (Draft 2012)
▶ Familiar to: XML Encryption, PKCS#7/CMS
May 2012 36
37. Security Syntax –
JSON Web Algorithms - JWA
▶ JSON Web Algorithm defines descriptors for cryptographic algorithms
– For use with JSON Web Encryption and Signature
▶ The specification is developed by the IETF jose working group:
– JSON Web Algorithms (JWA) (Draft 2012)
▶ Familiar to: n.a. (handled inline by XML and ASN.1-based security syntax
specifications)
May 2012 37