Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (18)
Similar to State of Authenticating RESTful APIs
Similar to State of Authenticating RESTful APIs (20)
Recently uploaded
Recently uploaded (20)
State of Authenticating RESTful APIs
- 1. The State of Authenticating RESTful APIs @rob_winch
- 6. “ Come on Bender. It's up to you to make your own decisions in life. That's what's separates people and robots from animals .. and animal robots! Fry Futurama
- 7. RFC-7231 Sensitive Information 7 “ Authors of services ought to avoid GET-based forms for the submission of sensitive data … - RFC-7231: Section 9.4
- 11. Transport Layer Security (TLS) • Confidentiality • Integrity
- 16. TLS Performance • Computational overhead • Latency overhead • Cache
- 17. Adam Langley, Google “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. https://goo.gl/IYJrqv
- 18. Doug Beaver, Facebook “We have found that modern software-based TLS implementations running on commodity CPUs are fast enough to handle heavy HTTPS traffic load without needing to resort to dedicated cryptographic hardware. https://goo.gl/pf8Xwh
- 19. Jacob Hoffman-Andrews, Twitter “HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU usage. https://goo.gl/Re0ijb
- 20. TLS Optimize • TLS Resumption • Latency • Online Certificate Status Protocol (OCSP) • Cloudflare 2 0
- 21. Optimizing TLS Is TLS Fast Yet.com 21
- 22. HTTP Basic over HTTPS? oclHashcat Hash Type Speed MD5 115.840 Bh/s SHA1 37.336 Bh/s SHA256 14.416 Bh/s SHA512 4.976 Bh/s Ubuntu 14.04, 64 bit ForceWare 346.29 8x NVidia Titan X
- 24. Encrypting the Session 24 Base64(IV, aes_cbc(k,IV,plainText)) • k – a secret key only known to server • aes_cbc – encrypts the plainText using AES/CBC with the provided IV • plainText – format of username=winch&name=Rob+Winch
- 25. Your handwriting is atrocious, not encrypted
- 26. Introduce Session username=winch&name=Rob+Winch username=admin&name=Rob+Winch Can change properly encrypted value below: To have the following Plaintext https://goo.gl/2Uio0W
- 27. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxM jM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4 iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZg eFONFh7HgQ JWT Encoded Header { "alg": "HS256", "typ": "JWT” } Payload { "sub": "1234567890", "name": "John Doe", "admin": true }
- 28. HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “secret” ) JWT Signature
- 29. 2:03 PM - 27 Jul 2015 https://goo.gl/Hs383Z
- 30. 10:54 AM - 28 May 2015 https://goo.gl/ZbP9Yp
- 31. eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM 0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iO nRydWV9. JWT Encoded Header { "alg": "none", "typ": "JWT” } Payload { "sub": "1234567890", "name": "John Doe", "admin": true }
- 32. eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM 0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iO nRydWV9. EkN- DOsnsuRjRO6BxXemmJDm3HbxrbRzXglbN2S… JWT Encoded Header { "alg": "RS256", "typ": "JWT” } Payload { "sub": "1234567890", "name": "John Doe", "admin": true }
- 33. RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), Private RSA Key ) Creating RSASHA256
- 34. RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), provided signature, Public RSA Key ) Verifying RSASHA256
- 35. Header { "alg": "HS256", "typ": "JWT” } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), RSA Public Key ) JWT Signature
- 37. “… each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. - Roy Fielding, Architectural Styles and the Design of Network-based Software Architectures http://goo.gl/MzVy0V Roy Fielding
- 38. Representational STATE transfer “… session state can be transferred by the server to another service such as a database to maintain a persistent state for a period and allow authentication - Wikipedia http://goo.gl/bd33t7
- 40. Summary • Do NOT place sensitive information in URL • Use HTTPS everywhere • Use “cached” credentials • Security prefers State @rob_winch Presentation Available at https://goo.gl/QTfCCW
Editor's Notes
- Open command prompt for hashcat & type hc -a 0 -m 1420 passwords-A0.M1420.hash hashkiller-dict.txt Who here is using REST? Who here is looking for ideas on how to best perform Authentication? Who here already knows all the answers and wants to give this talk for me?
- First I certainly don’t have all the answers. But as a person interested in security, I will be telling you what you need to hear not what you want to hear. I am fairly certain some of the things I say in this talk will be difficult to swallow at first. So if I say something that gives you the urge to throw me off the stage, I want you to try and put things in perspective. I want you to take a step back and think for yourself. Don’t blindly trust your pre conceived notions. Don’t blindly trust anyone…except me https://www.flickr.com/photos/jurvetson/1118807/ 4 minutes
- Describes the who, Username/password, secure (secure random generated it, plenty of entropy, rotate password regularly), passwords are great right?, but best way we have, can layer additional layers multi factor Describes session, secure random generated, long, finite lifetime Web App good to use cookie – defense in depth Outside of the browser
- Other than the password being too difficult to guess, can anyone tell me what is wrong with this? Sensitive information should not be included in a URL…even over SSL Leaked in browser history, referrer URL What about other sensitive information? Put it into perspective Reminds me of… Does anyone watch (or use to watch) Futurama? Fry – If someone programmed you to jump off a bridge, would you do it? Bender – I’ll have to check my program. Yep!
- Other than the password being too difficult to guess, can anyone tell me what is wrong with this? Sensitive information should not be included in a URL…even over SSL Leaked in browser history, referrer URL What about other sensitive information? Put it into perspective Reminds me of… Does anyone watch (or use to watch) Futurama? Fry – If someone programmed you to jump off a bridge, would you do it? Bender – I’ll have to check my program. Yep!
- Think for yourself You are thinking great, this guy is telling me to take advice from a one of the “brightest” cartoon characters on TV.
- because that data will be placed in the request-target. Many existing servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties. Such services ought to use POST-based form submission instead. Browser Cache, Proxies, Server Logs http://tools.ietf.org/html/rfc7231#section-9.4 9min
- Password not transmitted, nonce means header never repeated (replay attacks) MD5 broken, Certifications (FIPS), prevents proper password storage, MitM attacks +4 min = 13min
- Confidentiality, Integrity JavaScript need SSL? CSS need SSL? Images need SSL? Static HTML pages? CDN, router MiTM (using CSRF) Comcast injects ads +10 = 23 min
- Heartbleed - http://heartbleed.com/ Gotofail – fail was not in a conditional statement, https://www.imperialviolet.org/2014/02/22/applebug.html CRIME (Compression Ratio Info-leak Made Easy) http://en.wikipedia.org/wiki/CRIME BEAST - Browser Exploit Against SSL/TLS POODLE (Padding oracle on downloaded legacy encryption; SSL3)- http://en.wikipedia.org/wiki/POODLE
- People say its too expensive or difficult to manage keys
- https://istlsfastyet.com/ https://www.youtube.com/watch?v=0EB7zh_7UE4 Asymmetric O(1 ms) / handshake Symmetric – easily saturate your NIC (so crypto not bottleneck) 100mbps+ per core w/ sha256 and 1024 byte blocks Find out: $ openssl speed sha $openssl speed ecdh
- https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
- http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/0251.html
- https://blog.twitter.com/2013/forward-secrecy-at-twitter-0
- TLS Resumption eliminates asymmetric crypto by reusing params, no handshake so 1 – RTT (Round Trip Time) connection Session identifiers (server side state, session tickets) Latency Use a CDN (terminate closer to the client) TLS False Start OCSP – DNS lookup, TCP connect, wait for server response, OCSP stapling (include OCSP response and includes w/ certificate, signed by CA so can trust) Cloudflare can add one click SSL, new Keyless SSL
- +7min = 30 min
- Plaintext, MD5, SHA, Salt Hashcat sample (25M+ passwords) - Actually quite slow….(show numbers) Ocl (Open Computing Language – library for parallel computing of modern processors) Crypto Hash (fast & intended for IP-sec…packet by packet basis) vs Password Hash (slow) Adaptive One way function – PBKDF2 (NIST), scrypt, bcrypt; intended to be slow (tune to be .5 seconds), remember hackers use GPUs, limit with Scrypt but that takes lots of RAM (>= 16MB / password verify) Ashley Madison 36M passwords …..4K cracked using 10K top passwords Would take 116,958 years to crack all of them. 156 hashes per second +13 m = 43 min
- State is bad! Let’s embed information in a token Encryption not authentication Replay attacks How revoke access if compromised?
- State is bad! Let’s embed information in a token + 3min = 46 min
- HS256 means using HMAC-SHA256, but… None RSA vs HMAC When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- HS256 means using HMAC-SHA256, but… None RSA vs HMAC When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- SqureEng Cyber Security JOSE – JavaScript Object Signing and Encryption JWT – JSON Web Token JWE – JSON Web Encryption JWS – JSON Web Signature
- Founder of Matasano Security
- HS256 means using HMAC-SHA256, but… None RSA vs HMAC When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- HS256 means using HMAC-SHA256, but… None RSA vs HMAC When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- HS256 means using HMAC-SHA256, but… None RSA vs HMAC When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- HS256 means using HMAC-SHA256, but… None RSA vs HMAC When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for decrypting messages. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
- + 9 min = 55 min
- It won’t scale! HTTP is a stateless protocol layered on top of TCP IP is a stateless protocol that uses Border Gateway Protocol (PGP)
- http://en.wikipedia.org/wiki/Representational_state_transfer#Stateless Consider… Person Needs to be stored Place it in a DataStore Doesn’t Perform….cache Too large, lots of writes, etc doesn’t perform think for yourself
- Why do sessions have a checkered past?