Prabath SiriwardenaSenior Architect & Chair, Integration MC Johann Nallathamby Software Engineer, Integration MC
AWS Signature -‐ 1 • Split the query string based on & and = characters into a series of key-‐value pairs. • Sort the pairs based on the keys. • Append the keys and values together, in order, to construct one big string (key1 + value1 + key2 + value2 + ... ). • Sign that string using HMAC-‐SHA1 and your secret access key.
AWS Signature -‐ 2 • You include additional components of the request in the string to sign • You include the query string control parameters (the equals signs and ampersands) in the string to sign • You sort the query string parameters using byte ordering • You URL encode the query string parameters and their values before signing the request • You can use HMAC-‐SHA256 when you sign the request (we prefer HMAC-‐SHA256, but we still support HMAC-‐SHA1) • You must set the SignatureMethod request parameter to either HmacSHA256 or HmacSHA1 to indicate which signing method youre using • You must set the SignatureVersion request parameter to 2
Third-‐party applications are required to store the resource owners credentials for future use, typically a password in clear-‐ text.
Servers are required to support password authentication, despite the security weaknesses created by passwords.
Third-‐party applications gain overly broad access to the resource owners protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.
Resource owners cannot revoke access to an individual third-‐party without revoking access to all third-‐parties, and must do so by changing their password.
Compromise of any third-‐party application results in compromise of the end-‐users password and all of the data protected by that password.
Bearer MAC Bearer Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). Runtime
Request with Bearer GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer “access_token_value” http://tools.ietf.org/html/draft-‐ietf-‐oauth-‐v2-‐bearer-‐20 Runtime
Bearer MAC MAC HTTP MAC access authentication scheme Runtime
Request with MAC GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", ts="1336363200" nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" http://tools.ietf.org/html/draft-‐ietf-‐oauth-‐v2-‐http-‐mac-‐01 Runtime