The many benefits of a RESTful architecture has made it the standard way in which to design web based APIs. For example, the principles of REST state that we should leverage standard HTTP verbs in order to help keep our APIs simple. Server components that are considered RESTFul should be stateless which help to ensure that they can easily scale.
However, the best practices of REST and security often seem to clash. How should sensitive information be transmitted in RESTful APIs? How should a user be authenticated in a stateless application? How is it possible to design an API so it is both secure and RESTful? Securing RESTful endpoints is further complicated by the the fact that security best practices evolve so rapidly.
In this talk Rob will explore various ways to perform authentication in RESTful APIs. Along the way we will clear up misconceptions, explore common pitfalls, and discover new insights into authentication.
6. “ Come on Bender. It's up to you
to make your own decisions in
life. That's what's separates
people and robots from
animals .. and animal robots!
Fry
Futurama
7. RFC-7231 Sensitive Information
7
“ Authors of services ought to avoid
GET-based forms for the submission
of sensitive data …
- RFC-7231: Section 9.4
17. Adam Langley, Google
“On our production frontend machines, SSL/TLS
accounts for less than 1% of the CPU load, less than 10
KB of memory per connection and less than 2% of
network overhead.
https://goo.gl/IYJrqv
18. Doug Beaver, Facebook
“We have found that modern software-based TLS
implementations running on commodity CPUs are fast
enough to handle heavy HTTPS traffic load without
needing to resort to dedicated cryptographic hardware.
https://goo.gl/pf8Xwh
19. Jacob Hoffman-Andrews, Twitter
“HTTP keepalives and session resumption mean that
most requests do not require a full handshake, so
handshake operations do not dominate our CPU
usage.
https://goo.gl/Re0ijb
37. “… each request from client to server must contain all
of the information necessary to understand the
request, and cannot take advantage of any stored
context on the server.
- Roy Fielding, Architectural Styles and
the Design of Network-based Software Architectures
http://goo.gl/MzVy0V
Roy Fielding
38. Representational STATE transfer
“… session state can be transferred by the
server to another service such as a database to
maintain a persistent state for a period and
allow authentication
- Wikipedia
http://goo.gl/bd33t7
39.
40. Summary
• Do NOT place sensitive information in URL
• Use HTTPS everywhere
• Use “cached” credentials
• Security prefers State
@rob_winch
Presentation Available at
https://goo.gl/QTfCCW
Editor's Notes
Open command prompt for hashcat & type
hc -a 0 -m 1420 passwords-A0.M1420.hash hashkiller-dict.txt
Who here is using REST? Who here is looking for ideas on how to best perform Authentication? Who here already knows all the answers and wants to give this talk for me?
First I certainly don’t have all the answers.
But as a person interested in security, I will be telling you what you need to hear not what you want to hear. I am fairly certain some of the things I say in this talk will be difficult to swallow at first.
So if I say something that gives you the urge to throw me off the stage, I want you to try and put things in perspective. I want you to take a step back and think for yourself. Don’t blindly trust your pre conceived notions. Don’t blindly trust anyone…except me
https://www.flickr.com/photos/jurvetson/1118807/
4 minutes
Describes the who, Username/password, secure (secure random generated it, plenty of entropy, rotate password regularly), passwords are great right?, but best way we have, can layer additional layers multi factor
Describes session, secure random generated, long, finite lifetime
Web App good to use cookie – defense in depth
Outside of the browser
Other than the password being too difficult to guess, can anyone tell me what is wrong with this?
Sensitive information should not be included in a URL…even over SSL
Leaked in browser history, referrer URL
What about other sensitive information?
Put it into perspective
Reminds me of…
Does anyone watch (or use to watch) Futurama?
Fry – If someone programmed you to jump off a bridge, would you do it?
Bender – I’ll have to check my program. Yep!
Other than the password being too difficult to guess, can anyone tell me what is wrong with this?
Sensitive information should not be included in a URL…even over SSL
Leaked in browser history, referrer URL
What about other sensitive information?
Put it into perspective
Reminds me of…
Does anyone watch (or use to watch) Futurama?
Fry – If someone programmed you to jump off a bridge, would you do it?
Bender – I’ll have to check my program. Yep!
Think for yourself
You are thinking great, this guy is telling me to take advice from a one of the “brightest” cartoon characters on TV.
because that data will be placed in the request-target. Many existing servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties. Such services ought to use POST-based form submission instead.
Browser Cache, Proxies, Server Logs
http://tools.ietf.org/html/rfc7231#section-9.4
9min
Password not transmitted, nonce means header never repeated (replay attacks)
MD5 broken, Certifications (FIPS), prevents proper password storage, MitM attacks
+4 min = 13min
Confidentiality, Integrity
JavaScript need SSL?
CSS need SSL?
Images need SSL?
Static HTML pages?
CDN, router MiTM (using CSRF)
Comcast injects ads
+10 = 23 min
Heartbleed - http://heartbleed.com/
Gotofail – fail was not in a conditional statement, https://www.imperialviolet.org/2014/02/22/applebug.html
CRIME (Compression Ratio Info-leak Made Easy) http://en.wikipedia.org/wiki/CRIME
BEAST - Browser Exploit Against SSL/TLS
POODLE (Padding oracle on downloaded legacy encryption; SSL3)- http://en.wikipedia.org/wiki/POODLE
People say its too expensive or difficult to manage keys
https://istlsfastyet.com/
https://www.youtube.com/watch?v=0EB7zh_7UE4
Asymmetric O(1 ms) / handshake
Symmetric – easily saturate your NIC (so crypto not bottleneck) 100mbps+ per core w/ sha256 and 1024 byte blocks
Find out:
$ openssl speed sha
$openssl speed ecdh
TLS Resumption
eliminates asymmetric crypto by reusing params, no handshake so 1 – RTT (Round Trip Time) connection
Session identifiers (server side state, session tickets)
Latency
Use a CDN (terminate closer to the client)
TLS False Start
OCSP – DNS lookup, TCP connect, wait for server response, OCSP stapling (include OCSP response and includes w/ certificate, signed by CA so can trust)
Cloudflare can add one click SSL, new Keyless SSL
+7min = 30 min
Plaintext, MD5, SHA, Salt
Hashcat sample (25M+ passwords) - Actually quite slow….(show numbers)
Ocl (Open Computing Language – library for parallel computing of modern processors)
Crypto Hash (fast & intended for IP-sec…packet by packet basis) vs Password Hash (slow)
Adaptive One way function – PBKDF2 (NIST), scrypt, bcrypt; intended to be slow (tune to be .5 seconds), remember hackers use GPUs, limit with Scrypt but that takes lots of RAM (>= 16MB / password verify)
Ashley Madison 36M passwords …..4K cracked using 10K top passwords Would take 116,958 years to crack all of them. 156 hashes per second
+13 m = 43 min
State is bad!
Let’s embed information in a token
Encryption not authentication
Replay attacks
How revoke access if compromised?
State is bad!
Let’s embed information in a token
+ 3min = 46 min
HS256 means using HMAC-SHA256, but…
None
RSA vs HMAC
When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
HS256 means using HMAC-SHA256, but…
None
RSA vs HMAC
When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
SqureEng Cyber Security
JOSE – JavaScript Object Signing and Encryption
JWT – JSON Web Token
JWE – JSON Web Encryption
JWS – JSON Web Signature
Founder of Matasano Security
HS256 means using HMAC-SHA256, but…
None
RSA vs HMAC
When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
HS256 means using HMAC-SHA256, but…
None
RSA vs HMAC
When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
HS256 means using HMAC-SHA256, but…
None
RSA vs HMAC
When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
HS256 means using HMAC-SHA256, but…
None
RSA vs HMAC
When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+ 9 min = 55 min
It won’t scale!
HTTP is a stateless protocol layered on top of TCP
IP is a stateless protocol that uses Border Gateway Protocol (PGP)
http://en.wikipedia.org/wiki/Representational_state_transfer#Stateless
Consider…
Person Needs to be stored
Place it in a DataStore
Doesn’t Perform….cache
Too large, lots of writes, etc doesn’t perform
think for yourself