MongoDB .local Paris 2020: Les bonnes pratiques pour sécuriser MongoDB
Codemash-2017
1. Who Are You & What Can
You Do?
Understanding Authentication and Authorization with Federated
Identity Services
@kevcody CodeMash 2017 1
2. uname -a
• Kevin Cody (@kevcody)
• Senior Application Security Engineer w/ Aspect Security
• Vulnerability stumble-uponer-er
• Mainframe enthusiast
• Husband/Dad/Hacker/Lock Picker/DIYer (via
YouTube)/Fisherman/ADD (flavor-of-the-moment)
• Student of life
• Creator of preso title which is too long and broke everything…
@kevcody CodeMash 2017 2
4. obligatory_crowd_polling_quetsion
• Implemented Federated Auth?
• Using Federated Auth (~SSO) at $employergoeshere?
• Working toward implementing Federated Auth?
• Use Federated Auth in personal life?
/*What is the personal life you speak of?*/
• You can pry my basic auth from my cold, dead hands?
@kevcody CodeMash 2017 4
5. Objectives
• Discuss AuthN vs. AuthZ.
• Outline wins and shortfalls of current solutions.
• Explore protocols and standards.
• Zero-in on real world security concerns.
• Profit! Give everyone ammunition to appropriately threat model.
@kevcody CodeMash 2017 5
6. Authentication vs. Authorization
• Who are you?
• Bob (EvilCorp)
• Alice (EvilCorp)
• Mallory (Just Plain Evil)
Commonly referenced as AuthN
• What can you do?
• Bob (User)
• Alice (Admin)
• Mallory (Not a user: Lurks in the darkness and waits to pounce)
Commonly referenced as AuthZ
@kevcody CodeMash 2017 6
7. Define: Federated Identity
• A federated identity in information technology is the means of linking
a person's electronic identity and attributes, stored across multiple
distinct identity management systems.
• Related to federated identity is single sign-on (SSO), in which a user's
single authentication ticket, or token, is trusted across multiple IT
systems or even organizations. SSO is a subset of federated identity
management, as it relates only to authentication and is understood
on the level of technical interoperability.
Shamelessly pulled from: https://en.wikipedia.org/wiki/Federated_identity
@kevcody CodeMash 2017 7
8. Define: Assertions
• An assertion is a package of information that allows identity and security
information to be shared across security domains. An assertion typically
contains information about a subject or principal, information about the
party that issued the assertion and when was it issued, and the conditions
under which the assertion is to be considered valid, such as when and
where it can be used.
Shamelessly pulled from RFC: https://tools.ietf.org/html/rfc7521
@kevcody CodeMash 2017 8
9. Keep in mind…
• Three may keep a secret, if two of them are dead.
@kevcody CodeMash 2017 9
10. But, seriously.
• If we decide to pursue Federated Identity Services whether AuthN or
AuthZ, we are placing inherent trust in partner organizations or third-
parties. Attackers or LE/nation states will go after the weakest link.
This includes metadata and logs.
@kevcody CodeMash 2017 10
11. OpenID
• Users create accounts by selecting an OpenID identity provider, and then
use those accounts to sign onto any website which accepts OpenID
authentication.
• The OpenID standard provides a framework for the communication that
must take place between the identity provider and the OpenID acceptor
(the "relying party").
• The OpenID protocol does not rely on a central authority to authenticate a
user's identity. Moreover, neither services nor the OpenID standard may
mandate a specific means by which to authenticate users, allowing for
approaches ranging from the common (such as passwords) to the novel
(such as smart cards or biometrics).
@kevcody CodeMash 2017 11
12. OAuth(2)
• OAuth is an open standard for authorization, commonly used as a
way for Internet users to authorize websites or applications to access
their information on other websites but without giving them the
passwords.
• OAuth essentially allows access tokens to be issued to third-party
clients by an authorization server, with the approval of the resource
owner.
@kevcody CodeMash 2017 12
13. ADFS
• Active Directory Federation Services (ADFS or AD FS), a software
component developed by Microsoft, can run on Windows Server
operating systems to provide users with single sign-on access to
systems and applications located across organizational boundaries.
• In ADFS, identity federation is established between two organizations
by establishing trust between two security realms.
• Can be used with AD or LDAP.
@kevcody CodeMash 2017 13
14. OpenID Connect
• OpenID Connect (OIDC) is an authentication layer on top of OAuth
2.0, an authorization framework. The standard is controlled by the
OpenID Foundation.
• OpenID Connect is a simple identity layer on top of the OAuth 2.0
protocol, which allows computing clients to verify the identity of an
end-user based on the authentication performed by an authorization
server, as well as to obtain basic profile information about the end-
user in an interoperable and REST-like manner.
@kevcody CodeMash 2017 14
15. And more…
• OATH
• SiteMinder
• Other COTS Integrations
• Roll your own! (LOL, no.)
@kevcody CodeMash 2017 15
16. UX and Organization Wins!
• Reduces count of usernames/passwords or facilitates sharing data.
• Familiar process-flows.
• Clearly identified permissions and revocation. (Standard Dependent)
• Domain risk mitigations and technical/process debt controls.
(Implementation Dependent)
@kevcody CodeMash 2017 16
17. Threat Modeling
• No seriously, do it!
• Break-down the silos, outline the controls, and document risks.
Image credit: http://web.mit.edu/tweilu/www/eff-
ssd-mockup/img/batman.png@kevcody CodeMash 2017 17
19. Unvalidated Redirects & Forwards
• OWASP Top Ten 2013 (A10)
• 301s/302s are the lifeblood of Federated ID plumbing.
• Parameters = Target, continue, redirectto, redirect_uri, etc.
@kevcody CodeMash 2017 19
20. Story Time
• Places, names, & details may be altered to protect the innocent.
@kevcody CodeMash 2017 20
24. Security Assertion Markup Language (SAML)
• SAML is an XML-based, open-standard data format for exchanging
authentication and authorization data between parties.
• The SAML specification defines three roles: the principal (typically a
user), the Identity provider (IdP), and the service provider (SP).
@kevcody CodeMash 2017 24
28. SAML Attacks
• Signature Exclusion: K.I.S.S
• XML Signature Wrapping (ID-Sig checking vs. XPATH)
• Advanced Extension Attribute Abuse
• Attacks on XML Parsers
• Attacks on Service Protocol
@kevcody CodeMash 2017 28
29. JSON Web Tokens (JWT)
• JWT is a JSON-based open standard (RFC 7519) for creating access
tokens that assert some number of claims.
• The tokens are signed by the server's key, so the client is able to verify
that the token is legitimate.
• Example:
• eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpY
XQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
• {"alg":"HS256","typ":"JWT"}.{"loggedInAs":"admin","iat":1422779638}.{BLOB}
@kevcody CodeMash 2017 29
31. JWT Validation
• Example: Google OpenID Connect
• ID tokens are sensitive and can be misused if intercepted. You must ensure that these tokens are
handled securely by transmitting them only over HTTPS and only via POST data or within request
headers. If you store them on your server, you must also store them securely.
• One thing that makes ID tokens useful is that fact that you can pass them around different
components of your app. These components can use an ID token as a lightweight authentication
mechanism authenticating the app and the user. But before you can use the information in the ID
token or rely on it as an assertion that the user has authenticated, you must validate it.
{"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"1234987819200.apps.googleusercontent.com",
"email":"jsmith@example.com",
"aud":"1234987819200.apps.googleusercontent.com",
"iat": 1484230797,
"exp": 1484252397,
"hd":"example.com" }
@kevcody CodeMash 2017 31
32. JWT Attacks
• Information Leakage/Disclosure
• “none” or null algorithm
• Symmetric vs. Asymmetric Key Issues
@kevcody CodeMash 2017 32
33. FIDO UAF & U2F
• Universal Authentication Framework: User registers their device to
the online service by selecting a local authentication mechanism such
as swiping a finger, looking at the camera, speaking into the mic,
entering a PIN, etc.
• Universal 2nd Factor: This experience allows online services to
augment the security of their existing password infrastructure by
adding a strong second factor to user login.
@kevcody CodeMash 2017 33