SlideShare una empresa de Scribd logo

New Trends in Web Security

Oliver Pfaff
Oliver Pfaff

My 2012 homerun in IT-security: For many years nothing happened in Web security - with respect to security-enabling the HTTP stack. This is not true anymore: game-changing innovations do emerge right now. Their impact will - likely - be pervasive. It is important to understand what exactly is being launched, why this is happening and which forces are driving this. This presentation establishes this context and elaborates on the implications.

Tecnología
1 de 37
New Trends in Web Security Oliver Pfaff May 10, 2012
A Journey through Time – 2000 to 2012 Authentication Authorization IAM (Identity and IT-security Access Management) Federation ▶ Enterprise camp: identities/resources Has use cases owned by legal entities driving current innovation ▶ Internet camp: identities/resources owned by individual users May 2012 2
Security-Enabling the HTTP Stack - Until 2010 Protocol stack Security fabric No help - does match target environment WS-*/ Security WS- infrastructure Security HTTP body HTTP Security Security header protocols syntax SSL/TLS Security token TCP Helps - but does not cover given use cases IP Meta-information Cryptographic algorithms May 2012 3
Driving Forces ▶ Constrained clients:  Smart phones/tablets accessing via mobile networks  Promote native clients: talk HTTP, serve single users – but are no classical Web browsers ▶ API economy:  Content aggregation via mash-ups/composite applications, Web APIs exposing lightweight interfaces, RESTful Web services – no WS-*  Promote application clients: talk HTTP, serve multiple users ▶ Cloud:  Procure IT from the network: applications (SaaS), software (PaaS) or hardware infrastructure (IaaS)  For many organizations "owning iron" is a snail’s pace approach. Holds for the server side (XaaS) and the client side (BYOD) ▶ Disillusion:  Some things did not fly such as PKI to the end-user: • Not handy: people do not understand PKI – even IT pro’s struggle • Compromises: Comodo/DigiNotar/StartTLS CAs, DuQu, Stuxnet • Ramifications of lemon markets (Nobel prize-awarded theory) apply May 2012 4
…Their Constraints/Needs/Use Cases ▶ Constrained clients:  Interactions: server-side, no client-side redirections  Compact representations: new formats for security objects, no WS-* ▶ API economy:  Authenticate API clients: new authentication schemes for HTTP 3-party scenarios  Manage access to personal resources: new authorization protocols  Move identity data (for self): on-boarding of individual users ▶ Cloud:  Externalize user authentication: provide seamless access (i.e. SSO)  Manage identity data (for any): user on-boarding in bulk-style  Manage authorization: govern access control for subscriber resources ▶ Disillusion:  Alternate entity authentication schemes: stronger than username/static password, less awkward than public key certificate and private key  Supply meta-information: express to relying parties how authentication and identity creation was done May 2012 5
Use Cases Requiring 3-Party Exchanges ▶ Manage access to personal resources  Prerequisites: user and asserting/relying party authentication ▶ Move identity data (for self)  Prerequisites: user and asserting/relying party authentication ▶ Externalize user authentication  Prerequisite: user and asserting party authentication Personal App resources Identity HTTP data UI SSL/ User App TLS authentication HTTP TCP/ SSL/ HTTP IP TLS Asserting party TCP/ SSL/ IP TLS TCP/ User agent IP Relying party May 2012 6
3-Party Exchange Pattern – Functional Requirements User ▶ Facilitate 3-party overlay: Authn agent  User agent to asserting party - security with Provide endpoint: creds grant • Entitle relying party after authenticating • UI-style: entitlement dialogue with arbitrary Web user authentication Asserting  Relying party to asserting party - party security endpoint: Entitle- Security Resource • Obtain security token after ment endpoint endpoint authenticating • API-style: new protocols with Provide arbitrary Web client authentication token Authn  Relying party to asserting party – with resource endpoint: token • Obtain resource access after authenticating Authn with • API-style: new authentication creds Relying protocols (token-based) party May 2012 7
3-Party Exchange Pattern – Non-Functional Requirements ▶ 3-party exchanges between relying and asserting parties – via user agents esp. 3-party exchanges: constrained clients: Sub- HTTP  Use HTTP 3xx redirects HTTP  Employ URL query parameters for Hdr. Body exchange of security token acquisition N.a. objects and their responses ▶ Subsequent 2-party exchanges between URL N.a. relying and asserting parties: query  Use HTTP Authorization headers for authentication purposes based on security tokens 2-party exchanges: ▶ URL query parameters as well as HTTP Sub- HTTP Authorization headers are space- HTTP constrained: Hdr. Body  Objects to acquire and utilize security SSL/ tokens must match these constraints TLS  Note: SAML assertion/protocol syntax Authn Var. objects are suspect of violating them header May 2012 8
Identifying the New Entrants ▶ Constrained clients:  Interactions: N.a.  Compact representations: JWA, JWE, JWK, JWS (IETF jose WG) and JWT (IETF individual submission) ▶ API economy:  Authenticate API clients: HTTP Bearer and MAC authentication (IETF oauth WG)  Manage access to personal resources: OAuth (IETF oauth WG), UMA (Kantara)  Move identity data (for self): OpenID Connect (OpenID) ▶ Cloud:  Externalize user authentication: OpenID Connect (OpenID)  Manage identity data (for any): SCIM (IETF WG candidate)  Manage authorization: XACML 3.0 administration and delegation profile (OASIS) ▶ Disillusion:  Alternate authentication schemes: TOTP (RFC 6238), HOTP (RFC 4226), callbacks (custom)  Supply meta-information: assurance levels (NIST SP800-63, ITU-T X.1254 | ISO/IEC 29115, Kantara IAF) May 2012 9
Layering the New Entrants Use case-specific Generic May 2012 10
Security Fabric for the HTTP Stack – From ca. 2012 Provides request authn JWS IETF Draft HTTP request authn IETF Draft Provides entity JWE IETF Draft authentication Provides service for managing Provides token Security token authn Security token service <Abstract> <Abstract> Provides token Instantiates Instantiates encryption OAuth authz JWT UMA Promotes server IETF individual Kantara IETF Draft submission Draft Includes OpenID OAuth Connect Extends IETF Draft OpenID Draft May 2012 11
Security Fabric for the SOAP Stack – From ca. 2007 (for reference purposes) Provides msg Allows publishing of authn XML Signature W3C standard SOAP Message Provides msg WS-Policy WS-SecurityPolicy Security encryption W3C OASIS standard OASIS standard standard (WS-SX TC) (WSS TC) Defines Allows profiling of Provides entity XML Encryption security for W3C standard authentication STSs Provides service for managing Provides token Security token authn Security token service <Abstract> <Abstract> Provides token Instantiates Instantiates encryption SAML assertion WS-Trust OASIS standard OASIS standard (SAML TC) (WS-SX TC) Extends WSFED OASIS committee specification May 2012 12
Security-Enabling the HTTP Stack - From ca. 2012 Protocol stack Security fabric Security infrastructure HTTP body HTTP Security Security header protocols syntax SSL/TLS Security token TCP Meta-information Cryptographic IP algorithms May 2012 13
Is It Real? ▶ 4-party security protocol examples: – UMA: http://kantarainitiative.org/confluence/display/uma/UMA+Implementations ▶ 3-party security protocol examples: – OIDC relying party: http://www8322u.sakura.ne.jp/oidconnect/ – OIDC asserting party: http://oauthssodemo.appspot.com/step/1 – OAuth relying party: https://twitter.com/#!/who_to_follow/import/ – OAuth asserting party: https://accounts.google.com/OAuthAuthorizeToken ▶ 2-party security protocol examples: – HTTP Bearer authentication: cf. OpenID Connect sample – HTTP MAC authentication: N.a. - current implementations utilize HTTP Bearer. ▶ Security infrastructure examples: – OAuth authorization server: cf. OpenID Connect sample ▶ Security token examples: – JWT: cf. OpenID Connect sample ▶ Meta-information syntax examples: – LoA: N.a. ▶ Security syntax examples: – JWA/E/K/S: cf. OpenID Connect sample May 2012 14
Conclusions ▶ It is amazing what is happening right now – security-wise as well as IAM-wise ▶ The current innovation is triggered by use cases from the Internet IAM camp. In particular, it addresses needs related to Web 2.0 as well as social networks ▶ This does not imply that the emerging mechanisms are limited to these domains: – Other industries have matching use cases e.g. user-managed access to medical data to-be-shared among healthcare providers (ECRs – Electronic Case Records) – Their resolution delivers security mechanisms that can be (re-)used in other use cases – Security functionality for 3-party Web exchanges presents a main focus. Such 3-party exchanges also apply in other industries – probably with some other details but likely requiring similar patterns and approaches. ▶ The evolution of specifications, implementation of toolkits (many open source) and supply of services on the Internet happens in parallel ▶ This innovation in Web security is still ongoing and not yet concluded May 2012 15
Abbreviations AJAX Asynchronous JavaScript And XML API Application Programming Interface AWS Amazon Web Services BYOD Bring Your Own Device CA Certification Authority CMS Cryptographic Message Syntax ECC Elliptic Curve Cryptography HMAC Hash-based Message Authentication Code HOTP HMAC-based OTP HTML HyperText Markup Language HTTP HyperText Transfer Protocol IaaS Infrastructure as a Service IAF Identity Assurance Framework IAM Identity and Access Management JOSE JavaScript Object Signing and Encryption JSON JavaScript Object Notation JWA/E/K/S/T JSON Web Algorithms/Encryption/Key/Signature/Token LoA Level of Assurance OATH Open Authentication OAuth Open Authorization May 2012 16
Abbreviations (cont’d) OIDC OpenID Connect OTP OneTime Password PaaS Platform as a Service PKCS Public-Key Cryptography Standards PKI Public Key Infrastructure PoP Proof-of-Possession REST REpresentational State Transfer SaaS Software as a Service SAML Security Assertion Markup Language SCIM Simple Cloud Identity Management SOAP Simple Object Access Protocol SSL Secure Sockets Layer STS Security Token Service TLS Transport Layer Security TOTP Time-based OTP UMA User-Managed Access URL Uniform Resource Locator WS Web Services XaaS Any X offered ’as-a-Service’ XML eXtensible Markup Language May 2012 17
Background ▶ Fielding, R.: Architectural Styles and the Design of Network-based Software Architectures. PhD Thesis. University of California, Irvine, 2000. ▶ Gutmann, P.: PKI: Lemon Markets and Lemonade. RSA Security Conference 2011. ▶ Jones, M.: The Emerging JSON-Based Identity Protocol Suite. W3C Workshop on Identity in the Browser, 2011. ▶ Machulak, M.P. et al.: User-Managed Access to Web Resources. Proceedings of the 6th ACM Workshop on Digital Identity Management, 2010. ▶ Mash-up directory: http://www.programmableweb.com/mashups/directory ▶ Pautasso, C.; Zimmermann, O.; Leymann, F.: RESTful Web Services vs. “Big” Web Services: Making the Right Architectural Decision. Proc. of the 17th International World Wide Web Conference, Bejing, 2008. ▶ Prins, J.R.: DigiNotar Certificate Authority breach “Operation Black Tulip”. Interim Report: Investigation DigiNotar Certificate Authority Environment, 2011. ▶ Rabin, J.; McCathieNevile, C. (eds.): Mobile Web Best Practices 1.0. W3C Recommendation 2008. ▶ Rutkowski, M. (ed.): Identity in the Cloud Use Cases Version 1.0. OASIS Committee Note, 2012. ▶ Web API directory: http://www.programmableweb.com/apis/directory ▶ Yegge, S.: Stevey's Google Platforms Rant. 2011 May 2012 18
Author Oliver Pfaff, oliver.frank.pfaff@gmail.com May 2012 19
Web Application Styles Traditional AJAX-aware Mobile Mash-up Web browser Web browser Native client Application client UI UI UI HTTP server JavaScript HTML or HTML HTML JSON,XML JSON,XML HTTP client AJAX engine HTTP client Business logic Request JSON,XML Request JSON,XML HTTP client HTTP client Request Request Response Response Response Response (HTML) (JSON, XML) (JSON, XML) (JSON, XML) HTTP server HTTP server HTTP server HTTP server Web server Web server Web server Web server UI-style IO API-style IO May 2012 20
Characterizing Client-Side Components ▶ Web browsers: – HTTP client with address bar, serves resources of arbitrary services – HTML as primary media type (UI-style) – Client-side scripting support – Serves #1 simultaneous user – Examples: Google Chrome, Microsoft Internet Explorer, Mozilla Firefox ▶ Native clients: – HTTP client without address bar, serves resources of a specific service – HTML (UI-style) or JSON/XML as primary media type (API-style) – Serves #1 simultaneous user – Example: Android/iPhone Web apps ▶ Application clients: – HTTP client and server – JSON/XML as primary media type towards downstream application (API-style) – Provides own application/business functionality (i.e. not only a HTTP proxy) – Serves #n simultaneous users – Example: Amazon & eBay comparison shopping May 2012 21
Security Fabric for the HTTP Stack – Until 2010 ▶ Security fabric is broadly absent in the actual HTTP layer: – HTTP Basic authentication: username/password-based authentication • Transfers credentials in plain (to be precise: Base64 encoded) • Unpopular: HTML form-based authentication is preferred – HTTP Digest authentication: shared secret key-based authentication • Not used in practice – Custom HTTP authentication methods: Kerberos/NTLM-based authentication • Used for integrated Windows authentication – HTTP session state mechanisms: • No actual security mechanism but a factor in the security fingerprint ▶ Security fabric is present: – Underneath the HTTP layer: SSL/TLS – Above the HTTP layer: WS-Security ▶ Caveats: – Underneath the HTTP layer: hard to support complex use cases – Above the HTTP layer: adds significant infrastructural burden May 2012 22
4-Party Security Protocols – User-Managed Access - UMA ▶ UMA refines OAuth 2.0: – Allows users to manage access to individual resources, residing on any number of OAuth resource servers, through a single OAuth authorization server – Extends OAuth by formalizing interactions between OAuth resource and authorization servers (underspecified in OAuth) – Promotes OAuth authorization servers to independent network services – hence turns the 3-party protocol OAuth into a 4-party protocol – Extends the OAuth notion of scope and hence enhances the granularity of access control – More information: Comparing OAuth and UMA, UMA Frequently Asked Questions ▶ The specifications are developed by a Kantara working group: – User-Managed Access (UMA) Core Protocol (Draft 2012 also published as IETF Draft - individual submission) – UMA Trust Model (Draft 2012) – UMA Scenarios and Use Cases (Draft 2010) – UMA User Stories (Draft 2010) ▶ Familiar to: - May 2012 23
3-Party Security Protocols – OpenID Connect ▶ OpenID Connect defines an identity layer on top of OAuth 2.0: – Exploits and extends OAuth for a specific kind of resources: data specific to user authentication and user identity (e.g. data persisted in user accounts) – Turns a solution for the delegation use case in access management into an approach for the federation use case in identity management ▶ The specifications are developed by the OpenID community: – Basic Client Profile (Draft 2012) – Discovery (Draft 2012) – Dynamic Registration (Draft 2012) – Standard (Draft 2012) – Messages (Draft 2012) – Session Management (Draft 2012) ▶ Familiar to: SAML, WS-Federation (passive profile), OpenID (note: it’s relation to the original OpenID protocol is loose) ▶ More information: OpenID Connect - An Emperor Or Just New Cloths? May 2012 24
3-Party Security Protocols – OpenID Connect Exchange Pattern 2. Authn with user credentials, User 1. Redirect user agent to delegate access to identity data agent OAuth authz endpoint, provide oidc:Request object 4. Redirect user agent to relying party with oauth:Grant Asserting party Security UserInfo 3. Store entitlement endpoint endpoint 6. Respond with 9. Respond with user info oauth:AccessToken, oidc:IdToken 5. Authn with client 8. Authn with credentials, supply oauth:AccessToken, oauth:Grant, request request user info oauth:AccessToken, oidc:IdToken Relying 7. Consume oidc:IdToken party 10. Process user info May 2012 25
3-Party Security Protocols – OAuth ▶ OAuth allows resource owners to delegate resource access rights to third-party consumers (such as composite applications in a mash-up) in a discretionary fashion with a limited scope (functionality, time). ▶ The specifications are developed by the IETF oauth working group: – The OAuth 2.0 Authorization Framework (Draft 2012) – The OAuth 1.0 Protocol (RFC 5849, 2010) ▶ Familiar to: - ▶ More information: Analyzing OAuth May 2012 26
3-Party Security Protocols – OAuth Exchange Pattern 2. Authn with user credentials, User 1. Redirect user agent to delegate access to resource agent OAuth authz endpoint 4. Redirect user agent to relying party with oauth:Grant Asserting party Security Resource 3. Store entitlement endpoint endpoint 6. Respond with 8. Respond with resource oauth:AccessToken 5. Authn with client 7. Authn with credentials, supply oauth:AccessToken, oauth:Grant, request request resource oauth:AccessToken Relying party 9. Process resource May 2012 27
2-Party Security Protocols – HTTP Bearer Authentication ▶ OAuth-defined mechanism extending the HTTP access authentication framework (RFC 2616) – may be used independent of OAuth: – WWW-Authenticate response header: specifies the authentication method (Bearer) and allows to specify realm and scope parameters – Authorization request header: transfers a bearer token in Base64 encoding ▶ Bearer tokens: – Any party in possession of the token can use it to get access to the associated resources - without demonstrating possession of a cryptographic key – Supported form-factors: • SAML Assertion objects (self-contained security token) • JSON Web tokens (self-contained security token) ▶ The specifications are developed by the IETF oauth working group: – The OAuth 2.0 Authorization Protocol: Bearer Tokens (Draft 2012) – SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 (Draft 2012) – JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 (Draft 2012) ▶ Familiar to: - May 2012 28
2-Party Security Protocols – HTTP MAC Authentication ▶ OAuth-defined mechanism extending the HTTP access authentication framework (RFC 2616) – may be used independent of OAuth: – WWW-Authenticate response header: specifies the authentication method (MAC) – Authorization request header: transfers a symmetric cryptographic checksum over portions of the HTTP request ▶ MAC tokens: – Any party using the token needs to demonstrate possession of a cryptographic key. Keying associations are established out-of-band or employ OAuth access tokens. – Supported form-factor: identifier token ▶ The specification is developed by the IETF oauth working group: – HTTP Authentication: MAC Access Authentication (Draft 2012) ▶ Familiar to:  HTTP Digest authentication (RFC 2617, does require a user password)  HTTP OAuth authentication (RFC 5849, a predecessor)  HTTP AWS authentication (AWS proprietary) May 2012 29
2-Party Security Protocols – OTP Authentication ▶ HOTP, TOTP and OCRA define the exchanges between claimants and verifiers in order to establish shared secret key-based entity authentication - without binding the exchanges to an actual transfer protocol (typical implementations use HTTP through HTML forms): – HOTP: event-based OTPs – TOTP: time-based OTPs – OCRA: challenge/response-based OTPs ▶ PSKC and DSKPP define means to establish and manage the underlying keying associations. ▶ The specifications are developed by the OATH community and brought into IETF: – HOTP: An HMAC-Based OTP Algorithm (RFC 4226, 2005) – TOTP - Time-based One-time Password Algorithm (RFC 6238, 2011) – OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287, 2011) – PSKC - Portable Symmetric Key Container (RFC 6030, 2010) – DSKPP - Dynamic Symmetric Key Provisioning Protocol (RFC 6063, 2010) ▶ Familiar to: RFC 2289, vendor-proprietary solutions May 2012 30
Security Infrastructure – OAuth Authorization Server ▶ To decouple resource server tasks from OAuth-tasks, OAuth 2.0 introduces the authorization server as a distinguished entity with following endpoints: – Authorization endpoint: entitle 3rd-party clients, resource owner-facing – Token endpoint: acquire access tokens (initial, refresh), relying party-facing ▶ OpenID Connect extends the OAuth authorization server abstraction by adding: – UserInfo endpoint: query identity data, relying party-facing – CheckID endpoint: query and validate ID token objects, relying party-facing – Refresh session endpoint: refresh ID token objects, relying party-facing – End session endpoint: terminate sessions at IdPs, relying party-facing ▶ By extension (further token types, use cases, explicit system interfaces and network protocol), it may evolve towards a security infrastructure service: – It supports the underlying use cases (delegation use case in access management, federation use case in identity management) – But is not limited to them and presents a security infrastructure service nucleus – Kantara UMA is already going this direction ▶ The specifications are developed by the IETF oauth working group: – The OAuth 2.0 Authorization Framework (Draft 2012) ▶ Familiar to: WS-Trust STS May 2012 31
Security Token – JSON Web Token - JWT ▶ JWT defines self-contained security tokens for space-constrained environments: – Uses JSON data structures (RFC 4627) to represent identity-related information about a subject for transfer from an asserting to a relying party. – Embody (name, value)-pairs – called claims - to express identity-related data: • Claim names: o Define some reserved claim names e.g. exp (expiration time) Support IANA-registered public claim names o o Allow private claim names • Claim values: JSON-defined data types esp. literal (string, number, Boolean) or complex (object, array) types – JWT may be signed (JSON Web Signature) and/or encrypted (JSON Web Encryption) – JWT supports the bearer model but does not yet support PoP ▶ The specification is currently provided as individual submission to the IETF jose working group: – JSON Web Token (JWT) (Draft 2012) ▶ Familiar to: SAML Assertion May 2012 32
Meta-Information Syntax – Level of Assurance - LoA ▶ Level of assurance specifications allow asserting parties to express how authentication and identity creation was done: – They establish mutually understood levels along with applicable criteria: • LoA-1: Little or no confidence in the asserted identity e.g. self-asserted identity from OpenId IdP • LoA-2: Some confidence in the asserted identity e.g. third-party asserted identity from SAML IdP (bearer token, single factor initial authentication) • LoA-3: High confidence in the asserted identity e.g. third-party asserted identity from SAML IdP (bearer token, multi-factor initial authentication) • LoA-4: Very high confidence in the asserted identity e.g. third-party asserted identity from SAML IdP (PoP token, multi-factor initial authentication) – The qualification encompasses enrolment, credential management, and entity authentication phases ▶ Specifications are developed by NIST, ITU-T | ISO/IEC, and Kantara: – NIST SP800-63 Electronic Authentication Guideline (2006) – ITU-T X.1254 | ISO/IEC 29115 – Entity authentication assurance framework (Draft 2012) – Kantara Identity Assurance Framework (2010) ▶ Familiar to: - May 2012 33
Security Syntax – JSON Web Signature - JWS ▶ JSON Web Signature defines a compact digital signature format addressing space-constrained environments: – Uses JSON data structures to represent signed data of arbitrary type along with validation meta-data – Per JWS object, a single data object can be signed – Supports the enveloping of signed data (JWS object wraps signed data) but does not yet support enveloped and detached signed data – Allows to refer to validation keys by-reference (JSON Web Key URL, X.509 certificate path URL, identifier, thumbprint) or by-value (JSON Web Key object, X.509 certificate path) – Supports symmetric as well as asymmetric checksums e.g. • HMAC-SHA256 • RSA-SHA256 • ECDSA-SHA-256 (NIST P-256) ▶ The specification is developed by the IETF jose working group: – JSON Web Signature (JWS) (Draft 2012) ▶ Familiar to: XML Signature, PKCS#7/CMS May 2012 34
Security Syntax – JSON Web Key - JWK ▶ JSON Web Key defines a compact public key representation format addressing space-constrained environments:  Uses JSON data structures to represent public keys (in plain form, not in form of public key certificates) ▶ The specification is developed by the IETF jose working group: – JSON Web Key (JWK) (Draft 2012) ▶ Familiar to: XML Signature (ds:KeyInfo portion) May 2012 35
Security Syntax – JSON Web Encryption - JWE ▶ JSON Web Encryption defines a compact encryption format addressing space- constrained environments: – Uses JSON data structures to represent encrypted data of arbitrary type along with decryption meta-data – Allows to refer to decryption keys by-reference (JSON Web Key URL, X.509 certificate path URL, identifier, thumbprint) or by-value (JSON Web Key object, X.509 certificate path) – Encrypts payload through an indirection (content/key encryption) – Can also integrate HMAC-based message authentication (first-encrypt-then- sign) ▶ The specification is developed by the IETF jose working group: – JSON Web Encryption (JWE) (Draft 2012) ▶ Familiar to: XML Encryption, PKCS#7/CMS May 2012 36
Security Syntax – JSON Web Algorithms - JWA ▶ JSON Web Algorithm defines descriptors for cryptographic algorithms – For use with JSON Web Encryption and Signature ▶ The specification is developed by the IETF jose working group: – JSON Web Algorithms (JWA) (Draft 2012) ▶ Familiar to: n.a. (handled inline by XML and ASN.1-based security syntax specifications) May 2012 37

Recomendados

Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuthOliver Pfaff
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bBruce O'Dell
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Michael Noel
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonEduserv
 

Recomendados

Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuthOliver Pfaff
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bBruce O'Dell
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Michael Noel
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonEduserv
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Straight Talk on Data Tokenization for PCI & Cloud
Straight Talk on Data Tokenization for PCI & CloudStraight Talk on Data Tokenization for PCI & Cloud
Straight Talk on Data Tokenization for PCI & CloudIntel - API Security & Tokenization
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottreaCollaborative Health Consortium
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynoteshindeshekhar
 
SWID Tag Creation Tool
SWID Tag Creation Tool SWID Tag Creation Tool
SWID Tag Creation Tool Dj Das
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsAvtex
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Venkatesh Jambulingam
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Access management
Access managementAccess management
Access managementVenkatesh Jambulingam
 

Más contenido relacionado

La actualidad más candente

OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynoteshindeshekhar
 
SWID Tag Creation Tool
SWID Tag Creation Tool SWID Tag Creation Tool
SWID Tag Creation Tool Dj Das
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsAvtex
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 

La actualidad más candente (20)

OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
Straight Talk on Data Tokenization for PCI & Cloud
Straight Talk on Data Tokenization for PCI & CloudStraight Talk on Data Tokenization for PCI & Cloud
Straight Talk on Data Tokenization for PCI & Cloud
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynote
 
SWID Tag Creation Tool
SWID Tag Creation Tool SWID Tag Creation Tool
SWID Tag Creation Tool
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 

Similar a New Trends in Web Security

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Amazon Web Services
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
SmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCMSmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCMOKsystem
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 

Similar a New Trends in Web Security (20)

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Access management
Access managementAccess management
Access management
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
SmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCMSmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCM
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 

Más de Oliver Pfaff

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary LifeOliver Pfaff
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 

Más de Oliver Pfaff (14)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Último

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Último (20)

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 

New Trends in Web Security

  • 1. New Trends in Web Security Oliver Pfaff May 10, 2012
  • 2. A Journey through Time – 2000 to 2012 Authentication Authorization IAM (Identity and IT-security Access Management) Federation ▶ Enterprise camp: identities/resources Has use cases owned by legal entities driving current innovation ▶ Internet camp: identities/resources owned by individual users May 2012 2
  • 3. Security-Enabling the HTTP Stack - Until 2010 Protocol stack Security fabric No help - does match target environment WS-*/ Security WS- infrastructure Security HTTP body HTTP Security Security header protocols syntax SSL/TLS Security token TCP Helps - but does not cover given use cases IP Meta-information Cryptographic algorithms May 2012 3
  • 4. Driving Forces ▶ Constrained clients:  Smart phones/tablets accessing via mobile networks  Promote native clients: talk HTTP, serve single users – but are no classical Web browsers ▶ API economy:  Content aggregation via mash-ups/composite applications, Web APIs exposing lightweight interfaces, RESTful Web services – no WS-*  Promote application clients: talk HTTP, serve multiple users ▶ Cloud:  Procure IT from the network: applications (SaaS), software (PaaS) or hardware infrastructure (IaaS)  For many organizations "owning iron" is a snail’s pace approach. Holds for the server side (XaaS) and the client side (BYOD) ▶ Disillusion:  Some things did not fly such as PKI to the end-user: • Not handy: people do not understand PKI – even IT pro’s struggle • Compromises: Comodo/DigiNotar/StartTLS CAs, DuQu, Stuxnet • Ramifications of lemon markets (Nobel prize-awarded theory) apply May 2012 4
  • 5. …Their Constraints/Needs/Use Cases ▶ Constrained clients:  Interactions: server-side, no client-side redirections  Compact representations: new formats for security objects, no WS-* ▶ API economy:  Authenticate API clients: new authentication schemes for HTTP 3-party scenarios  Manage access to personal resources: new authorization protocols  Move identity data (for self): on-boarding of individual users ▶ Cloud:  Externalize user authentication: provide seamless access (i.e. SSO)  Manage identity data (for any): user on-boarding in bulk-style  Manage authorization: govern access control for subscriber resources ▶ Disillusion:  Alternate entity authentication schemes: stronger than username/static password, less awkward than public key certificate and private key  Supply meta-information: express to relying parties how authentication and identity creation was done May 2012 5
  • 6. Use Cases Requiring 3-Party Exchanges ▶ Manage access to personal resources  Prerequisites: user and asserting/relying party authentication ▶ Move identity data (for self)  Prerequisites: user and asserting/relying party authentication ▶ Externalize user authentication  Prerequisite: user and asserting party authentication Personal App resources Identity HTTP data UI SSL/ User App TLS authentication HTTP TCP/ SSL/ HTTP IP TLS Asserting party TCP/ SSL/ IP TLS TCP/ User agent IP Relying party May 2012 6
  • 7. 3-Party Exchange Pattern – Functional Requirements User ▶ Facilitate 3-party overlay: Authn agent  User agent to asserting party - security with Provide endpoint: creds grant • Entitle relying party after authenticating • UI-style: entitlement dialogue with arbitrary Web user authentication Asserting  Relying party to asserting party - party security endpoint: Entitle- Security Resource • Obtain security token after ment endpoint endpoint authenticating • API-style: new protocols with Provide arbitrary Web client authentication token Authn  Relying party to asserting party – with resource endpoint: token • Obtain resource access after authenticating Authn with • API-style: new authentication creds Relying protocols (token-based) party May 2012 7
  • 8. 3-Party Exchange Pattern – Non-Functional Requirements ▶ 3-party exchanges between relying and asserting parties – via user agents esp. 3-party exchanges: constrained clients: Sub- HTTP  Use HTTP 3xx redirects HTTP  Employ URL query parameters for Hdr. Body exchange of security token acquisition N.a. objects and their responses ▶ Subsequent 2-party exchanges between URL N.a. relying and asserting parties: query  Use HTTP Authorization headers for authentication purposes based on security tokens 2-party exchanges: ▶ URL query parameters as well as HTTP Sub- HTTP Authorization headers are space- HTTP constrained: Hdr. Body  Objects to acquire and utilize security SSL/ tokens must match these constraints TLS  Note: SAML assertion/protocol syntax Authn Var. objects are suspect of violating them header May 2012 8
  • 9. Identifying the New Entrants ▶ Constrained clients:  Interactions: N.a.  Compact representations: JWA, JWE, JWK, JWS (IETF jose WG) and JWT (IETF individual submission) ▶ API economy:  Authenticate API clients: HTTP Bearer and MAC authentication (IETF oauth WG)  Manage access to personal resources: OAuth (IETF oauth WG), UMA (Kantara)  Move identity data (for self): OpenID Connect (OpenID) ▶ Cloud:  Externalize user authentication: OpenID Connect (OpenID)  Manage identity data (for any): SCIM (IETF WG candidate)  Manage authorization: XACML 3.0 administration and delegation profile (OASIS) ▶ Disillusion:  Alternate authentication schemes: TOTP (RFC 6238), HOTP (RFC 4226), callbacks (custom)  Supply meta-information: assurance levels (NIST SP800-63, ITU-T X.1254 | ISO/IEC 29115, Kantara IAF) May 2012 9
  • 10. Layering the New Entrants Use case-specific Generic May 2012 10
  • 11. Security Fabric for the HTTP Stack – From ca. 2012 Provides request authn JWS IETF Draft HTTP request authn IETF Draft Provides entity JWE IETF Draft authentication Provides service for managing Provides token Security token authn Security token service <Abstract> <Abstract> Provides token Instantiates Instantiates encryption OAuth authz JWT UMA Promotes server IETF individual Kantara IETF Draft submission Draft Includes OpenID OAuth Connect Extends IETF Draft OpenID Draft May 2012 11
  • 12. Security Fabric for the SOAP Stack – From ca. 2007 (for reference purposes) Provides msg Allows publishing of authn XML Signature W3C standard SOAP Message Provides msg WS-Policy WS-SecurityPolicy Security encryption W3C OASIS standard OASIS standard standard (WS-SX TC) (WSS TC) Defines Allows profiling of Provides entity XML Encryption security for W3C standard authentication STSs Provides service for managing Provides token Security token authn Security token service <Abstract> <Abstract> Provides token Instantiates Instantiates encryption SAML assertion WS-Trust OASIS standard OASIS standard (SAML TC) (WS-SX TC) Extends WSFED OASIS committee specification May 2012 12
  • 13. Security-Enabling the HTTP Stack - From ca. 2012 Protocol stack Security fabric Security infrastructure HTTP body HTTP Security Security header protocols syntax SSL/TLS Security token TCP Meta-information Cryptographic IP algorithms May 2012 13
  • 14. Is It Real? ▶ 4-party security protocol examples: – UMA: http://kantarainitiative.org/confluence/display/uma/UMA+Implementations ▶ 3-party security protocol examples: – OIDC relying party: http://www8322u.sakura.ne.jp/oidconnect/ – OIDC asserting party: http://oauthssodemo.appspot.com/step/1 – OAuth relying party: https://twitter.com/#!/who_to_follow/import/ – OAuth asserting party: https://accounts.google.com/OAuthAuthorizeToken ▶ 2-party security protocol examples: – HTTP Bearer authentication: cf. OpenID Connect sample – HTTP MAC authentication: N.a. - current implementations utilize HTTP Bearer. ▶ Security infrastructure examples: – OAuth authorization server: cf. OpenID Connect sample ▶ Security token examples: – JWT: cf. OpenID Connect sample ▶ Meta-information syntax examples: – LoA: N.a. ▶ Security syntax examples: – JWA/E/K/S: cf. OpenID Connect sample May 2012 14
  • 15. Conclusions ▶ It is amazing what is happening right now – security-wise as well as IAM-wise ▶ The current innovation is triggered by use cases from the Internet IAM camp. In particular, it addresses needs related to Web 2.0 as well as social networks ▶ This does not imply that the emerging mechanisms are limited to these domains: – Other industries have matching use cases e.g. user-managed access to medical data to-be-shared among healthcare providers (ECRs – Electronic Case Records) – Their resolution delivers security mechanisms that can be (re-)used in other use cases – Security functionality for 3-party Web exchanges presents a main focus. Such 3-party exchanges also apply in other industries – probably with some other details but likely requiring similar patterns and approaches. ▶ The evolution of specifications, implementation of toolkits (many open source) and supply of services on the Internet happens in parallel ▶ This innovation in Web security is still ongoing and not yet concluded May 2012 15
  • 16. Abbreviations AJAX Asynchronous JavaScript And XML API Application Programming Interface AWS Amazon Web Services BYOD Bring Your Own Device CA Certification Authority CMS Cryptographic Message Syntax ECC Elliptic Curve Cryptography HMAC Hash-based Message Authentication Code HOTP HMAC-based OTP HTML HyperText Markup Language HTTP HyperText Transfer Protocol IaaS Infrastructure as a Service IAF Identity Assurance Framework IAM Identity and Access Management JOSE JavaScript Object Signing and Encryption JSON JavaScript Object Notation JWA/E/K/S/T JSON Web Algorithms/Encryption/Key/Signature/Token LoA Level of Assurance OATH Open Authentication OAuth Open Authorization May 2012 16
  • 17. Abbreviations (cont’d) OIDC OpenID Connect OTP OneTime Password PaaS Platform as a Service PKCS Public-Key Cryptography Standards PKI Public Key Infrastructure PoP Proof-of-Possession REST REpresentational State Transfer SaaS Software as a Service SAML Security Assertion Markup Language SCIM Simple Cloud Identity Management SOAP Simple Object Access Protocol SSL Secure Sockets Layer STS Security Token Service TLS Transport Layer Security TOTP Time-based OTP UMA User-Managed Access URL Uniform Resource Locator WS Web Services XaaS Any X offered ’as-a-Service’ XML eXtensible Markup Language May 2012 17
  • 18. Background ▶ Fielding, R.: Architectural Styles and the Design of Network-based Software Architectures. PhD Thesis. University of California, Irvine, 2000. ▶ Gutmann, P.: PKI: Lemon Markets and Lemonade. RSA Security Conference 2011. ▶ Jones, M.: The Emerging JSON-Based Identity Protocol Suite. W3C Workshop on Identity in the Browser, 2011. ▶ Machulak, M.P. et al.: User-Managed Access to Web Resources. Proceedings of the 6th ACM Workshop on Digital Identity Management, 2010. ▶ Mash-up directory: http://www.programmableweb.com/mashups/directory ▶ Pautasso, C.; Zimmermann, O.; Leymann, F.: RESTful Web Services vs. “Big” Web Services: Making the Right Architectural Decision. Proc. of the 17th International World Wide Web Conference, Bejing, 2008. ▶ Prins, J.R.: DigiNotar Certificate Authority breach “Operation Black Tulip”. Interim Report: Investigation DigiNotar Certificate Authority Environment, 2011. ▶ Rabin, J.; McCathieNevile, C. (eds.): Mobile Web Best Practices 1.0. W3C Recommendation 2008. ▶ Rutkowski, M. (ed.): Identity in the Cloud Use Cases Version 1.0. OASIS Committee Note, 2012. ▶ Web API directory: http://www.programmableweb.com/apis/directory ▶ Yegge, S.: Stevey's Google Platforms Rant. 2011 May 2012 18
  • 20. Web Application Styles Traditional AJAX-aware Mobile Mash-up Web browser Web browser Native client Application client UI UI UI HTTP server JavaScript HTML or HTML HTML JSON,XML JSON,XML HTTP client AJAX engine HTTP client Business logic Request JSON,XML Request JSON,XML HTTP client HTTP client Request Request Response Response Response Response (HTML) (JSON, XML) (JSON, XML) (JSON, XML) HTTP server HTTP server HTTP server HTTP server Web server Web server Web server Web server UI-style IO API-style IO May 2012 20
  • 21. Characterizing Client-Side Components ▶ Web browsers: – HTTP client with address bar, serves resources of arbitrary services – HTML as primary media type (UI-style) – Client-side scripting support – Serves #1 simultaneous user – Examples: Google Chrome, Microsoft Internet Explorer, Mozilla Firefox ▶ Native clients: – HTTP client without address bar, serves resources of a specific service – HTML (UI-style) or JSON/XML as primary media type (API-style) – Serves #1 simultaneous user – Example: Android/iPhone Web apps ▶ Application clients: – HTTP client and server – JSON/XML as primary media type towards downstream application (API-style) – Provides own application/business functionality (i.e. not only a HTTP proxy) – Serves #n simultaneous users – Example: Amazon & eBay comparison shopping May 2012 21
  • 22. Security Fabric for the HTTP Stack – Until 2010 ▶ Security fabric is broadly absent in the actual HTTP layer: – HTTP Basic authentication: username/password-based authentication • Transfers credentials in plain (to be precise: Base64 encoded) • Unpopular: HTML form-based authentication is preferred – HTTP Digest authentication: shared secret key-based authentication • Not used in practice – Custom HTTP authentication methods: Kerberos/NTLM-based authentication • Used for integrated Windows authentication – HTTP session state mechanisms: • No actual security mechanism but a factor in the security fingerprint ▶ Security fabric is present: – Underneath the HTTP layer: SSL/TLS – Above the HTTP layer: WS-Security ▶ Caveats: – Underneath the HTTP layer: hard to support complex use cases – Above the HTTP layer: adds significant infrastructural burden May 2012 22
  • 23. 4-Party Security Protocols – User-Managed Access - UMA ▶ UMA refines OAuth 2.0: – Allows users to manage access to individual resources, residing on any number of OAuth resource servers, through a single OAuth authorization server – Extends OAuth by formalizing interactions between OAuth resource and authorization servers (underspecified in OAuth) – Promotes OAuth authorization servers to independent network services – hence turns the 3-party protocol OAuth into a 4-party protocol – Extends the OAuth notion of scope and hence enhances the granularity of access control – More information: Comparing OAuth and UMA, UMA Frequently Asked Questions ▶ The specifications are developed by a Kantara working group: – User-Managed Access (UMA) Core Protocol (Draft 2012 also published as IETF Draft - individual submission) – UMA Trust Model (Draft 2012) – UMA Scenarios and Use Cases (Draft 2010) – UMA User Stories (Draft 2010) ▶ Familiar to: - May 2012 23
  • 24. 3-Party Security Protocols – OpenID Connect ▶ OpenID Connect defines an identity layer on top of OAuth 2.0: – Exploits and extends OAuth for a specific kind of resources: data specific to user authentication and user identity (e.g. data persisted in user accounts) – Turns a solution for the delegation use case in access management into an approach for the federation use case in identity management ▶ The specifications are developed by the OpenID community: – Basic Client Profile (Draft 2012) – Discovery (Draft 2012) – Dynamic Registration (Draft 2012) – Standard (Draft 2012) – Messages (Draft 2012) – Session Management (Draft 2012) ▶ Familiar to: SAML, WS-Federation (passive profile), OpenID (note: it’s relation to the original OpenID protocol is loose) ▶ More information: OpenID Connect - An Emperor Or Just New Cloths? May 2012 24
  • 25. 3-Party Security Protocols – OpenID Connect Exchange Pattern 2. Authn with user credentials, User 1. Redirect user agent to delegate access to identity data agent OAuth authz endpoint, provide oidc:Request object 4. Redirect user agent to relying party with oauth:Grant Asserting party Security UserInfo 3. Store entitlement endpoint endpoint 6. Respond with 9. Respond with user info oauth:AccessToken, oidc:IdToken 5. Authn with client 8. Authn with credentials, supply oauth:AccessToken, oauth:Grant, request request user info oauth:AccessToken, oidc:IdToken Relying 7. Consume oidc:IdToken party 10. Process user info May 2012 25
  • 26. 3-Party Security Protocols – OAuth ▶ OAuth allows resource owners to delegate resource access rights to third-party consumers (such as composite applications in a mash-up) in a discretionary fashion with a limited scope (functionality, time). ▶ The specifications are developed by the IETF oauth working group: – The OAuth 2.0 Authorization Framework (Draft 2012) – The OAuth 1.0 Protocol (RFC 5849, 2010) ▶ Familiar to: - ▶ More information: Analyzing OAuth May 2012 26
  • 27. 3-Party Security Protocols – OAuth Exchange Pattern 2. Authn with user credentials, User 1. Redirect user agent to delegate access to resource agent OAuth authz endpoint 4. Redirect user agent to relying party with oauth:Grant Asserting party Security Resource 3. Store entitlement endpoint endpoint 6. Respond with 8. Respond with resource oauth:AccessToken 5. Authn with client 7. Authn with credentials, supply oauth:AccessToken, oauth:Grant, request request resource oauth:AccessToken Relying party 9. Process resource May 2012 27
  • 28. 2-Party Security Protocols – HTTP Bearer Authentication ▶ OAuth-defined mechanism extending the HTTP access authentication framework (RFC 2616) – may be used independent of OAuth: – WWW-Authenticate response header: specifies the authentication method (Bearer) and allows to specify realm and scope parameters – Authorization request header: transfers a bearer token in Base64 encoding ▶ Bearer tokens: – Any party in possession of the token can use it to get access to the associated resources - without demonstrating possession of a cryptographic key – Supported form-factors: • SAML Assertion objects (self-contained security token) • JSON Web tokens (self-contained security token) ▶ The specifications are developed by the IETF oauth working group: – The OAuth 2.0 Authorization Protocol: Bearer Tokens (Draft 2012) – SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 (Draft 2012) – JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 (Draft 2012) ▶ Familiar to: - May 2012 28
  • 29. 2-Party Security Protocols – HTTP MAC Authentication ▶ OAuth-defined mechanism extending the HTTP access authentication framework (RFC 2616) – may be used independent of OAuth: – WWW-Authenticate response header: specifies the authentication method (MAC) – Authorization request header: transfers a symmetric cryptographic checksum over portions of the HTTP request ▶ MAC tokens: – Any party using the token needs to demonstrate possession of a cryptographic key. Keying associations are established out-of-band or employ OAuth access tokens. – Supported form-factor: identifier token ▶ The specification is developed by the IETF oauth working group: – HTTP Authentication: MAC Access Authentication (Draft 2012) ▶ Familiar to:  HTTP Digest authentication (RFC 2617, does require a user password)  HTTP OAuth authentication (RFC 5849, a predecessor)  HTTP AWS authentication (AWS proprietary) May 2012 29
  • 30. 2-Party Security Protocols – OTP Authentication ▶ HOTP, TOTP and OCRA define the exchanges between claimants and verifiers in order to establish shared secret key-based entity authentication - without binding the exchanges to an actual transfer protocol (typical implementations use HTTP through HTML forms): – HOTP: event-based OTPs – TOTP: time-based OTPs – OCRA: challenge/response-based OTPs ▶ PSKC and DSKPP define means to establish and manage the underlying keying associations. ▶ The specifications are developed by the OATH community and brought into IETF: – HOTP: An HMAC-Based OTP Algorithm (RFC 4226, 2005) – TOTP - Time-based One-time Password Algorithm (RFC 6238, 2011) – OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287, 2011) – PSKC - Portable Symmetric Key Container (RFC 6030, 2010) – DSKPP - Dynamic Symmetric Key Provisioning Protocol (RFC 6063, 2010) ▶ Familiar to: RFC 2289, vendor-proprietary solutions May 2012 30
  • 31. Security Infrastructure – OAuth Authorization Server ▶ To decouple resource server tasks from OAuth-tasks, OAuth 2.0 introduces the authorization server as a distinguished entity with following endpoints: – Authorization endpoint: entitle 3rd-party clients, resource owner-facing – Token endpoint: acquire access tokens (initial, refresh), relying party-facing ▶ OpenID Connect extends the OAuth authorization server abstraction by adding: – UserInfo endpoint: query identity data, relying party-facing – CheckID endpoint: query and validate ID token objects, relying party-facing – Refresh session endpoint: refresh ID token objects, relying party-facing – End session endpoint: terminate sessions at IdPs, relying party-facing ▶ By extension (further token types, use cases, explicit system interfaces and network protocol), it may evolve towards a security infrastructure service: – It supports the underlying use cases (delegation use case in access management, federation use case in identity management) – But is not limited to them and presents a security infrastructure service nucleus – Kantara UMA is already going this direction ▶ The specifications are developed by the IETF oauth working group: – The OAuth 2.0 Authorization Framework (Draft 2012) ▶ Familiar to: WS-Trust STS May 2012 31
  • 32. Security Token – JSON Web Token - JWT ▶ JWT defines self-contained security tokens for space-constrained environments: – Uses JSON data structures (RFC 4627) to represent identity-related information about a subject for transfer from an asserting to a relying party. – Embody (name, value)-pairs – called claims - to express identity-related data: • Claim names: o Define some reserved claim names e.g. exp (expiration time) Support IANA-registered public claim names o o Allow private claim names • Claim values: JSON-defined data types esp. literal (string, number, Boolean) or complex (object, array) types – JWT may be signed (JSON Web Signature) and/or encrypted (JSON Web Encryption) – JWT supports the bearer model but does not yet support PoP ▶ The specification is currently provided as individual submission to the IETF jose working group: – JSON Web Token (JWT) (Draft 2012) ▶ Familiar to: SAML Assertion May 2012 32
  • 33. Meta-Information Syntax – Level of Assurance - LoA ▶ Level of assurance specifications allow asserting parties to express how authentication and identity creation was done: – They establish mutually understood levels along with applicable criteria: • LoA-1: Little or no confidence in the asserted identity e.g. self-asserted identity from OpenId IdP • LoA-2: Some confidence in the asserted identity e.g. third-party asserted identity from SAML IdP (bearer token, single factor initial authentication) • LoA-3: High confidence in the asserted identity e.g. third-party asserted identity from SAML IdP (bearer token, multi-factor initial authentication) • LoA-4: Very high confidence in the asserted identity e.g. third-party asserted identity from SAML IdP (PoP token, multi-factor initial authentication) – The qualification encompasses enrolment, credential management, and entity authentication phases ▶ Specifications are developed by NIST, ITU-T | ISO/IEC, and Kantara: – NIST SP800-63 Electronic Authentication Guideline (2006) – ITU-T X.1254 | ISO/IEC 29115 – Entity authentication assurance framework (Draft 2012) – Kantara Identity Assurance Framework (2010) ▶ Familiar to: - May 2012 33
  • 34. Security Syntax – JSON Web Signature - JWS ▶ JSON Web Signature defines a compact digital signature format addressing space-constrained environments: – Uses JSON data structures to represent signed data of arbitrary type along with validation meta-data – Per JWS object, a single data object can be signed – Supports the enveloping of signed data (JWS object wraps signed data) but does not yet support enveloped and detached signed data – Allows to refer to validation keys by-reference (JSON Web Key URL, X.509 certificate path URL, identifier, thumbprint) or by-value (JSON Web Key object, X.509 certificate path) – Supports symmetric as well as asymmetric checksums e.g. • HMAC-SHA256 • RSA-SHA256 • ECDSA-SHA-256 (NIST P-256) ▶ The specification is developed by the IETF jose working group: – JSON Web Signature (JWS) (Draft 2012) ▶ Familiar to: XML Signature, PKCS#7/CMS May 2012 34
  • 35. Security Syntax – JSON Web Key - JWK ▶ JSON Web Key defines a compact public key representation format addressing space-constrained environments:  Uses JSON data structures to represent public keys (in plain form, not in form of public key certificates) ▶ The specification is developed by the IETF jose working group: – JSON Web Key (JWK) (Draft 2012) ▶ Familiar to: XML Signature (ds:KeyInfo portion) May 2012 35
  • 36. Security Syntax – JSON Web Encryption - JWE ▶ JSON Web Encryption defines a compact encryption format addressing space- constrained environments: – Uses JSON data structures to represent encrypted data of arbitrary type along with decryption meta-data – Allows to refer to decryption keys by-reference (JSON Web Key URL, X.509 certificate path URL, identifier, thumbprint) or by-value (JSON Web Key object, X.509 certificate path) – Encrypts payload through an indirection (content/key encryption) – Can also integrate HMAC-based message authentication (first-encrypt-then- sign) ▶ The specification is developed by the IETF jose working group: – JSON Web Encryption (JWE) (Draft 2012) ▶ Familiar to: XML Encryption, PKCS#7/CMS May 2012 36
  • 37. Security Syntax – JSON Web Algorithms - JWA ▶ JSON Web Algorithm defines descriptors for cryptographic algorithms – For use with JSON Web Encryption and Signature ▶ The specification is developed by the IETF jose working group: – JSON Web Algorithms (JWA) (Draft 2012) ▶ Familiar to: n.a. (handled inline by XML and ASN.1-based security syntax specifications) May 2012 37