SlideShare a Scribd company logo

Token Binding as the Foundation for a More Secure Web

Download as PPTX, PDF
T
Trish McGinity, CCSK

This document discusses token binding as a way to more securely bind security tokens like cookies to client devices. It summarizes the core token binding specifications from the IETF, how token binding can be applied to single sign-on with OpenID Connect and OAuth, and the current landscape of implementations. Token binding allows binding of tokens to a client-generated public-private key pair to prove possession of the private key over TLS. This can help mitigate risks from cross-site scripting and other attacks. Specifications are being developed for token binding in areas like OpenID Connect and OAuth, and implementations exist in browsers, servers, and libraries.

Technology
1 of 28
© 2017 Brian Campbell 1 Beyond Bearer Token Binding as the Foundation for a More Secure Web BRIAN CAMPBELL @__b_c © 2017 Brian Campbell
© 2017 Brian Campbell 2 Formalities, Introductions, Safe Harbor, etc. • Working for Ping Identity since 2004 (The Identity Security Company hailing from CO) – Product Development & Standards • Pretending to have a different/parallel career since ’11 – Presentation MAY contain gratuitous photos • This presentation may contain forward- looking statements and no investment or purchasing decisions should be made based solely on the content herein – Except to hire a photographer for an obscene amount of money "L'Arroseur arrosé” By David Brossard
© 2017 Brian Campbell 3 Bearer Token • A security token with the property that any party in possession of that token (i.e. the "bearer") can use the token to access the associated resources • No other proof beyond just having it is needed
© 2017 Brian Campbell 4 The Problem With Bearer Tokens One truth and a lie
© 2017 Brian Campbell 5 • HTTPS • HttpOnly • secure • HSTS • CSP Mmmm, Cookies The archetypal bearer token • XSS exfiltration • Firesheep • sslstrip • Subdomain Takeovers
© 2017 Brian Campbell 6 Single Page Apps (everyone is doing it) it's like déjà vu all over again with XSS and local storage
© 2017 Brian Campbell 7 Token Binding • Enables a long-lived binding of cookies or other security tokens to a client generated public-private key pair © 2017 Brian Campbell
© 2017 Brian Campbell 8 Threat Landscape is Vast and Complex
© 2017 Brian Campbell 9 The Core Token Binding Specfications
© 2017 Brian Campbell 10© 2017 Brian Campbell
© 2017 Brian Campbell 11 Hello! Do you like my extension?
© 2017 Brian Campbell 12 Do you even bind tokens, bro? Client Server ClientHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2,0] ServerHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2] Key Parameters: (0) rsa2048_pkcs1.5 (1) rsa2048_pss (2) ecdsap256 Also need extenstions: Extended Master Secret Renegotiation Indication TLS Handshake
© 2017 Brian Campbell 13 Token Binding over HTTPS Client Server GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQLgtRpWFPN66kxhxGrtaKrzcMtHw7HV8 yMk_-MdRXJXbDMYxZCWnCASRRrmHHHL5wmpP3bhYt0ChRDbsMapfh_QAQ N1He3Ftj4Wa_S_fzZVns4saLfj6aBoMSQW6rLs19IIvHze7LrGjKyCfPT KXjajebxp-TLPFZCc0JTqTY5_0MBAAAA HTTP Request • Encoded Token Binding Message – (1 or more) Token Bindings • Type (provided / referred) • Token Binding ID (key type and public key) • Signature over type, key type, and EKM (TLS Exported Keying Material) • Extensions • Proves possession of the private key on the TLS connection • Keys are long-lived and span TLS connections
© 2017 Brian Campbell 14 Binding Cookies • The most straightforward application binds a cookie to the Token Binding key • Server associates Token Binding ID with cookie & checks on subsequent use • Augments existing authentication and session mechanisms • Transparent to users • Deployment can be phased in
© 2017 Brian Campbell 15 Okay, Just Take It Easy Privacy Nerds Advocates • Token Binding is not a supercookie or new big brother tracking mechanism • Client generates a unique key pair per effective top-level domain + 1 (eTLD+1) – E.g., example.com, www.example.com, and etc.example.com share binding but not example.org or example.co.uk • Same scoping rules and privacy implications as cookies © 2017 Brian Campbell
© 2017 Brian Campbell 16 What about Cross-Domain Single Sign-on? There’s an HTTP response header for that! Tells the browser that it should reveal the Token Binding ID used between itself and the RP (referred) in addition to the one used between itself and the IDP (provided). Browser Identity Provider (IDP)Relying Party (RP) HTTP/1.1 302 Found Location: https://idp.example.com Include-Referred-Token-Binding-ID: true GET / HTTP/1.1 Host: idp.example.com Sec-Token-Binding: ARIAAgBBQB-XOPf5ePlf7ikATiAFEGOS503 lPmRfkyymzdWwHCxl0njjxC3D0E_OVfBNqrIQxzIfkF7tWby2Zfya E6XpwTsAQBYqhFX78vMOgDX_Fd_b2dlHyHlMmkIz8iMVBY_reM98O UaJFz5IB7PG9nZ11j58LoG5QhmQoI9NXYktKZRXxrYAAAECAEFAdU FTnfQADkn1uDbQnvJEk6oQs38L92gv-KO-qlYadLoDIKe2h53hSiK wIP98iRj_unedkNkAMyg9e2mY4Gp7WwBAeDUOwaSXNz1e6gKohwN4 SAZ5eNyx45Mh8VI4woL1BipLoqrJRoK6dxFkWgHRMuBROcLGUj5Pi OoxybQH_Tom3gAA two bindings at the same time
© 2017 Brian Campbell 17 Interlude: ‘jot’ or not? A JWT eyJraWQiOiJrMSIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJodHRwczovL2lzcy5leGFtcGxlLmNvbSIsImF1Z CI6Imh0dHBzOi8vcnAuZXhhbXBsZS5vcmciLCJleHAiOjE1MDkzOTM3NTgsIm5iZiI6MTUwOTM5MzAzOCwic3 ViIjoiYnJpYW4iLCJlbWFpbCI6ImJyaWFuLmNhbXBiZWxsQGV4YW1wbGUuY29tIiwiZ3JvdXBzIjpbImdvb2Q iLCJiYWQiLCJ1Z2x5Il19.hh8DBF1GfhXrf1L2jKJiJzjIESvBYzPc6NKjCZAXaztFQDiFIP2- wfPw_JWBMulQsPJmVKKl-XA1OQWXQKgKiQ The Header {"kid":"k1","alg":"ES256"} The Payload {"iss":"https://iss.example.com", "aud":"https://rp.example.org", "exp":1509393758, "nbf":1509393038, "sub":"brian", "email":"brian.campbell@example.com", "groups":["good","bad","ugly"]} The Signature A quick refresher/introduction to JWT
© 2017 Brian Campbell 18 Token Binding for OpenID Connect • Utilizes the Include- Referred-Token- Binding-ID header and the Referred Token Binding • Binds the ID Token (JWT) to the Token Binding ID the browser uses between itself and the Relying Party • Uses token binding hash “tbh” member of the JWT confirmation claim “cnf”
© 2017 Brian Campbell 19 “Demo” • Showing a bound: – ID Token SSO – Session Cookie Browser Identity Provider (IDP) https://idp.example.com Relying Party (RP) https://rp.example.io:3000 http://httpbin.org/
© 2017 Brian Campbell 20 Unauthenticated access request to RP is redirected for SSO
© 2017 Brian Campbell 21 Authentication request to the IDP
© 2017 Brian Campbell 22 ID Token delivered to RP
© 2017 Brian Campbell 23 Authenticated access to RP
© 2017 Brian Campbell 24 “Demo” Finished
© 2017 Brian Campbell 25 Token Binding for OAuth Too • Access tokens with referred Token Binding ID • Refresh tokens with provided Token Binding ID • Authorization codes via PKCE – Native app clients – Web server clients • JWT Authorization Grants and Client Authentication
© 2017 Brian Campbell 26 Reverse Proxy Deployments Clien t Reverse Proxy GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQKzyIrmcY_Yct HVoSHBut69vrGfFdy1_YKTZfFJv6BjrZsKD9b9F RzSBxDs1twTqnAS71M1RBumuihhI9xqxXKkAQEt xe4jeUJU0WezxlQXWVSBFeHxFMdXRBIH_LKOSAu SMOJ0XEw1Q8DE248qkOiRKzw3KdSNYukYEP mO21bQi3YYAAA Origin Server GET /stuff HTTP/1.1 Host: ... Sec-Provided-Token-Binding-ID: AgBB QKzyIrmcY_YCtHVoSHBut69vrGfFdy1_YK TZfFJv6BjrZsKD9b9FRzSBxDs1twTqnAS7 1M1RBumuihhI9xqxXKk (Negotiates) Validates Token Binding message Sanitize headers Passes encoded provided token binding ID as new header (referred too, if applicable) Binds/verifies using token binding ID
© 2017 Brian Campbell 27 The Landscape (some of it anyway) • 3 IETF Token Binding specs soon to be RFCs • Draft support – Google Chrome & Microsoft Edge/IE – Global on Google servers (since Jan) – .NET Framework (4.6 for server side) – Open source • OpenSSL (https://github.com/google/token_bind) • Apache (https://github.com/zmartzone/mod_token_binding) • NGINX (https://github.com/google/ngx_token_binding) • Java (… er, yeah…) – Online demo at https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html • OpenID Connect Token Bound Authentication spec is coming along • OAuth 2.0 Token Binding spec is coming along a bit behind that • ‘HTTPS Token Binding with TLS Terminating Reverse Proxies’ spec adopted
© 2017 Brian Campbell 28 FIN © 2015 Brian Campbell BRIAN CAMPBELL @__b_c

Recommended

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
Brian Campbell
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin BhuiyanContent Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Cefalo
 
Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocol
Aviran Mordo
 
Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment Automation
Jonathan Cran
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security
David Blevins
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 

Recommended

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
Brian Campbell
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin BhuiyanContent Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Content Negotiation in HTTP - Ibnul Tahsin Bhuiyan
Cefalo
 
Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocol
Aviran Mordo
 
Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment Automation
Jonathan Cran
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security
David Blevins
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
Secure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontSecure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFront
Amazon Web Services
 
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Canada
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Eric Shupps
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
whj76337
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
NCCOMMS
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Ontico
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
Qrator Labs
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB
 
Converting you website to https
Converting you website to httpsConverting you website to https
Converting you website to https
Peter Salerno
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
 
MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External Authentication
Jason Terpko
 
Secure Credential Management with CredHub - Eoghan Kelleher
Secure Credential Management with CredHub - Eoghan KelleherSecure Credential Management with CredHub - Eoghan Kelleher
Secure Credential Management with CredHub - Eoghan Kelleher
VMware Tanzu
 
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Canada
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
Trish McGinity, CCSK
 

More Related Content

Similar to Token Binding as the Foundation for a More Secure Web

Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
Secure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontSecure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFront
Amazon Web Services
 
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Canada
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Eric Shupps
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
whj76337
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
NCCOMMS
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Ontico
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
Qrator Labs
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB
 
Converting you website to https
Converting you website to httpsConverting you website to https
Converting you website to https
Peter Salerno
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
 
MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External Authentication
Jason Terpko
 
Secure Credential Management with CredHub - Eoghan Kelleher
Secure Credential Management with CredHub - Eoghan KelleherSecure Credential Management with CredHub - Eoghan Kelleher
Secure Credential Management with CredHub - Eoghan Kelleher
VMware Tanzu
 
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Canada
 

Similar to Token Binding as the Foundation for a More Secure Web (20)

Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
Secure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontSecure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFront
 
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
Cisco Connect Toronto 2017 - Cloud and On Premises Collaboration Security Exp...
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
 
Converting you website to https
Converting you website to httpsConverting you website to https
Converting you website to https
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
 
MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External Authentication
 
Secure Credential Management with CredHub - Eoghan Kelleher
Secure Credential Management with CredHub - Eoghan KelleherSecure Credential Management with CredHub - Eoghan Kelleher
Secure Credential Management with CredHub - Eoghan Kelleher
 
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
 

More from Trish McGinity, CCSK

Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
Trish McGinity, CCSK
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud Seeding
Trish McGinity, CCSK
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
Trish McGinity, CCSK
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
Trish McGinity, CCSK
 
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
Trish McGinity, CCSK
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
Trish McGinity, CCSK
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
Trish McGinity, CCSK
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
Trish McGinity, CCSK
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
Trish McGinity, CCSK
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Trish McGinity, CCSK
 
Ed Rios - New ncc brief
Ed Rios - New ncc briefEd Rios - New ncc brief
Ed Rios - New ncc brief
Trish McGinity, CCSK
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
Trish McGinity, CCSK
 

More from Trish McGinity, CCSK (16)

Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud Seeding
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
 
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
 
Ed Rios - New ncc brief
Ed Rios - New ncc briefEd Rios - New ncc brief
Ed Rios - New ncc brief
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
 

Recently uploaded

Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 

Recently uploaded (20)

Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 

Token Binding as the Foundation for a More Secure Web

  • 1. © 2017 Brian Campbell 1 Beyond Bearer Token Binding as the Foundation for a More Secure Web BRIAN CAMPBELL @__b_c © 2017 Brian Campbell
  • 2. © 2017 Brian Campbell 2 Formalities, Introductions, Safe Harbor, etc. • Working for Ping Identity since 2004 (The Identity Security Company hailing from CO) – Product Development & Standards • Pretending to have a different/parallel career since ’11 – Presentation MAY contain gratuitous photos • This presentation may contain forward- looking statements and no investment or purchasing decisions should be made based solely on the content herein – Except to hire a photographer for an obscene amount of money "L'Arroseur arrosé” By David Brossard
  • 3. © 2017 Brian Campbell 3 Bearer Token • A security token with the property that any party in possession of that token (i.e. the "bearer") can use the token to access the associated resources • No other proof beyond just having it is needed
  • 4. © 2017 Brian Campbell 4 The Problem With Bearer Tokens One truth and a lie
  • 5. © 2017 Brian Campbell 5 • HTTPS • HttpOnly • secure • HSTS • CSP Mmmm, Cookies The archetypal bearer token • XSS exfiltration • Firesheep • sslstrip • Subdomain Takeovers
  • 6. © 2017 Brian Campbell 6 Single Page Apps (everyone is doing it) it's like déjà vu all over again with XSS and local storage
  • 7. © 2017 Brian Campbell 7 Token Binding • Enables a long-lived binding of cookies or other security tokens to a client generated public-private key pair © 2017 Brian Campbell
  • 8. © 2017 Brian Campbell 8 Threat Landscape is Vast and Complex
  • 9. © 2017 Brian Campbell 9 The Core Token Binding Specfications
  • 10. © 2017 Brian Campbell 10© 2017 Brian Campbell
  • 11. © 2017 Brian Campbell 11 Hello! Do you like my extension?
  • 12. © 2017 Brian Campbell 12 Do you even bind tokens, bro? Client Server ClientHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2,0] ServerHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2] Key Parameters: (0) rsa2048_pkcs1.5 (1) rsa2048_pss (2) ecdsap256 Also need extenstions: Extended Master Secret Renegotiation Indication TLS Handshake
  • 13. © 2017 Brian Campbell 13 Token Binding over HTTPS Client Server GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQLgtRpWFPN66kxhxGrtaKrzcMtHw7HV8 yMk_-MdRXJXbDMYxZCWnCASRRrmHHHL5wmpP3bhYt0ChRDbsMapfh_QAQ N1He3Ftj4Wa_S_fzZVns4saLfj6aBoMSQW6rLs19IIvHze7LrGjKyCfPT KXjajebxp-TLPFZCc0JTqTY5_0MBAAAA HTTP Request • Encoded Token Binding Message – (1 or more) Token Bindings • Type (provided / referred) • Token Binding ID (key type and public key) • Signature over type, key type, and EKM (TLS Exported Keying Material) • Extensions • Proves possession of the private key on the TLS connection • Keys are long-lived and span TLS connections
  • 14. © 2017 Brian Campbell 14 Binding Cookies • The most straightforward application binds a cookie to the Token Binding key • Server associates Token Binding ID with cookie & checks on subsequent use • Augments existing authentication and session mechanisms • Transparent to users • Deployment can be phased in
  • 15. © 2017 Brian Campbell 15 Okay, Just Take It Easy Privacy Nerds Advocates • Token Binding is not a supercookie or new big brother tracking mechanism • Client generates a unique key pair per effective top-level domain + 1 (eTLD+1) – E.g., example.com, www.example.com, and etc.example.com share binding but not example.org or example.co.uk • Same scoping rules and privacy implications as cookies © 2017 Brian Campbell
  • 16. © 2017 Brian Campbell 16 What about Cross-Domain Single Sign-on? There’s an HTTP response header for that! Tells the browser that it should reveal the Token Binding ID used between itself and the RP (referred) in addition to the one used between itself and the IDP (provided). Browser Identity Provider (IDP)Relying Party (RP) HTTP/1.1 302 Found Location: https://idp.example.com Include-Referred-Token-Binding-ID: true GET / HTTP/1.1 Host: idp.example.com Sec-Token-Binding: ARIAAgBBQB-XOPf5ePlf7ikATiAFEGOS503 lPmRfkyymzdWwHCxl0njjxC3D0E_OVfBNqrIQxzIfkF7tWby2Zfya E6XpwTsAQBYqhFX78vMOgDX_Fd_b2dlHyHlMmkIz8iMVBY_reM98O UaJFz5IB7PG9nZ11j58LoG5QhmQoI9NXYktKZRXxrYAAAECAEFAdU FTnfQADkn1uDbQnvJEk6oQs38L92gv-KO-qlYadLoDIKe2h53hSiK wIP98iRj_unedkNkAMyg9e2mY4Gp7WwBAeDUOwaSXNz1e6gKohwN4 SAZ5eNyx45Mh8VI4woL1BipLoqrJRoK6dxFkWgHRMuBROcLGUj5Pi OoxybQH_Tom3gAA two bindings at the same time
  • 17. © 2017 Brian Campbell 17 Interlude: ‘jot’ or not? A JWT eyJraWQiOiJrMSIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJodHRwczovL2lzcy5leGFtcGxlLmNvbSIsImF1Z CI6Imh0dHBzOi8vcnAuZXhhbXBsZS5vcmciLCJleHAiOjE1MDkzOTM3NTgsIm5iZiI6MTUwOTM5MzAzOCwic3 ViIjoiYnJpYW4iLCJlbWFpbCI6ImJyaWFuLmNhbXBiZWxsQGV4YW1wbGUuY29tIiwiZ3JvdXBzIjpbImdvb2Q iLCJiYWQiLCJ1Z2x5Il19.hh8DBF1GfhXrf1L2jKJiJzjIESvBYzPc6NKjCZAXaztFQDiFIP2- wfPw_JWBMulQsPJmVKKl-XA1OQWXQKgKiQ The Header {"kid":"k1","alg":"ES256"} The Payload {"iss":"https://iss.example.com", "aud":"https://rp.example.org", "exp":1509393758, "nbf":1509393038, "sub":"brian", "email":"brian.campbell@example.com", "groups":["good","bad","ugly"]} The Signature A quick refresher/introduction to JWT
  • 18. © 2017 Brian Campbell 18 Token Binding for OpenID Connect • Utilizes the Include- Referred-Token- Binding-ID header and the Referred Token Binding • Binds the ID Token (JWT) to the Token Binding ID the browser uses between itself and the Relying Party • Uses token binding hash “tbh” member of the JWT confirmation claim “cnf”
  • 19. © 2017 Brian Campbell 19 “Demo” • Showing a bound: – ID Token SSO – Session Cookie Browser Identity Provider (IDP) https://idp.example.com Relying Party (RP) https://rp.example.io:3000 http://httpbin.org/
  • 20. © 2017 Brian Campbell 20 Unauthenticated access request to RP is redirected for SSO
  • 21. © 2017 Brian Campbell 21 Authentication request to the IDP
  • 22. © 2017 Brian Campbell 22 ID Token delivered to RP
  • 23. © 2017 Brian Campbell 23 Authenticated access to RP
  • 24. © 2017 Brian Campbell 24 “Demo” Finished
  • 25. © 2017 Brian Campbell 25 Token Binding for OAuth Too • Access tokens with referred Token Binding ID • Refresh tokens with provided Token Binding ID • Authorization codes via PKCE – Native app clients – Web server clients • JWT Authorization Grants and Client Authentication
  • 26. © 2017 Brian Campbell 26 Reverse Proxy Deployments Clien t Reverse Proxy GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQKzyIrmcY_Yct HVoSHBut69vrGfFdy1_YKTZfFJv6BjrZsKD9b9F RzSBxDs1twTqnAS71M1RBumuihhI9xqxXKkAQEt xe4jeUJU0WezxlQXWVSBFeHxFMdXRBIH_LKOSAu SMOJ0XEw1Q8DE248qkOiRKzw3KdSNYukYEP mO21bQi3YYAAA Origin Server GET /stuff HTTP/1.1 Host: ... Sec-Provided-Token-Binding-ID: AgBB QKzyIrmcY_YCtHVoSHBut69vrGfFdy1_YK TZfFJv6BjrZsKD9b9FRzSBxDs1twTqnAS7 1M1RBumuihhI9xqxXKk (Negotiates) Validates Token Binding message Sanitize headers Passes encoded provided token binding ID as new header (referred too, if applicable) Binds/verifies using token binding ID
  • 27. © 2017 Brian Campbell 27 The Landscape (some of it anyway) • 3 IETF Token Binding specs soon to be RFCs • Draft support – Google Chrome & Microsoft Edge/IE – Global on Google servers (since Jan) – .NET Framework (4.6 for server side) – Open source • OpenSSL (https://github.com/google/token_bind) • Apache (https://github.com/zmartzone/mod_token_binding) • NGINX (https://github.com/google/ngx_token_binding) • Java (… er, yeah…) – Online demo at https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html • OpenID Connect Token Bound Authentication spec is coming along • OAuth 2.0 Token Binding spec is coming along a bit behind that • ‘HTTPS Token Binding with TLS Terminating Reverse Proxies’ spec adopted
  • 28. © 2017 Brian Campbell 28 FIN © 2015 Brian Campbell BRIAN CAMPBELL @__b_c