Prabath SiriwardenaSenior Architect & Chair, Integration MC          Johann Nallathamby   Software Engineer, Integration MC
AWS	  Signature	  -­‐	  1	  •  Split	  the	  query	  string	  based	  on	  &	  and	  =	  characters	  into	  a	  series	  ...
AWS	  Signature	  -­‐	  2	  •  You	  include	  additional	  components	  of	  the	  request	  in	  the	  string	  to	  sig...
http://s3.amazonaws.com/doc/s3-­‐developer-­‐guide/RESTAuthentication.html	  
http://blog.programmableweb.com/2010/08/16/twitter-­‐basic-­‐auth-­‐will-­‐truly-­‐disappear-­‐august-­‐30/	  
Third-­‐party	  applications	  are	  required	  to	  store	  the	  resource	  owners	  credentials	  for	  future	  use,	 ...
Servers	  are	  required	  to	  support	  password	  authentication,	   despite	  the	  security	  weaknesses	  created	  ...
Third-­‐party	  applications	  gain	  overly	  broad	  access	  to	  the	  resource	  owners	  protected	  resources,	  le...
Resource	  owners	  cannot	  revoke	  access	  to	  an	  individual	  third-­‐party	  without	  revoking	  access	  to	  a...
Compromise	  of	  any	  third-­‐party	  application	  results	  in	  compromise	  of	  the	  end-­‐users	  password	  and	...
http://www.flickr.com/services/api/misc.userauth.html	  
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html	  
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html	  
•  Complexity	  in	  validating	  and	  generating	  signatures.	  •  No	  clear	  separation	  between	  Resource	  Serve...
BasicAuth	                  OAuth	  Handshake	  
BasicAuth	  OAuth	  Handshake	  
Runtime	  
Bearer	                   MAC	               Runtime	  
Bearer	                                       MAC	                                              Bearer	  Any	  party	  in	...
Request	  with	  Bearer	  GET	  /resource/1	  HTTP/1.1	  Host:	  example.com	  Authorization:	  Bearer	  “access_token_val...
Bearer	                            MAC	                          MAC	   HTTP	  MAC	  access	  authentication	  scheme	    ...
Request	  with	  MAC	  GET	  /resource/1	  HTTP/1.1	  Host:	  example.com	  	  Authorization:	  MAC	  id="h480djs93hd8",	 ...
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Securing APIs
Upcoming SlideShare
Loading in …5
×

Securing APIs

1,480 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,480
On SlideShare
0
From Embeds
0
Number of Embeds
596
Actions
Shares
0
Downloads
48
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Securing APIs

  1. 1. Prabath SiriwardenaSenior Architect & Chair, Integration MC Johann Nallathamby Software Engineer, Integration MC
  2. 2. AWS  Signature  -­‐  1  •  Split  the  query  string  based  on  &  and  =  characters  into  a  series  of  key-­‐value  pairs.  •  Sort  the  pairs  based  on  the  keys.  •  Append  the  keys  and  values  together,  in  order,  to  construct  one  big  string  (key1  +   value1  +  key2  +  value2  +  ...  ).  •  Sign  that  string  using  HMAC-­‐SHA1  and  your  secret  access  key.  
  3. 3. AWS  Signature  -­‐  2  •  You  include  additional  components  of  the  request  in  the  string  to  sign  •  You  include  the  query  string  control  parameters  (the  equals  signs  and  ampersands)  in  the   string  to  sign  •  You  sort  the  query  string  parameters  using  byte  ordering  •  You  URL  encode  the  query  string  parameters  and  their  values  before  signing  the  request  •  You  can  use  HMAC-­‐SHA256  when  you  sign  the  request  (we  prefer  HMAC-­‐SHA256,  but  we  still   support  HMAC-­‐SHA1)  •  You  must  set  the  SignatureMethod  request  parameter  to  either  HmacSHA256  or  HmacSHA1   to  indicate  which  signing  method  youre  using  •  You  must  set  the  SignatureVersion  request  parameter  to  2  
  4. 4. http://s3.amazonaws.com/doc/s3-­‐developer-­‐guide/RESTAuthentication.html  
  5. 5. http://blog.programmableweb.com/2010/08/16/twitter-­‐basic-­‐auth-­‐will-­‐truly-­‐disappear-­‐august-­‐30/  
  6. 6. Third-­‐party  applications  are  required  to  store  the  resource  owners  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  7. 7. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  8. 8. Third-­‐party  applications  gain  overly  broad  access  to  the  resource  owners  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  9. 9. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  10. 10. Compromise  of  any  third-­‐party  application  results  in  compromise  of  the  end-­‐users  password  and  all  of  the  data   protected  by  that  password.  
  11. 11. http://www.flickr.com/services/api/misc.userauth.html  
  12. 12. http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html  
  13. 13. http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html  
  14. 14. •  Complexity  in  validating  and  generating  signatures.  •  No  clear  separation  between  Resource  Server  and   Authorization  Server.  •  Browser  based  re-­‐redirections.  
  15. 15. BasicAuth   OAuth  Handshake  
  16. 16. BasicAuth  OAuth  Handshake  
  17. 17. Runtime  
  18. 18. Bearer   MAC   Runtime  
  19. 19. Bearer   MAC   Bearer  Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
  20. 20. Request  with  Bearer  GET  /resource/1  HTTP/1.1  Host:  example.com  Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
  21. 21. Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
  22. 22. Request  with  MAC  GET  /resource/1  HTTP/1.1  Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                ts="1336363200"                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime  

×