securing apis
Post on 15-Jan-2015
1.052 Views
Preview:
DESCRIPTION
TRANSCRIPT
Prabath Siriwardena Senior Architect & Chair, Integration MC
Johann Nallathamby Software Engineer, Integration MC
AWS Signature -‐ 1
• Split the query string based on '&' and '=' characters into a series of key-‐value pairs. • Sort the pairs based on the keys. • Append the keys and values together, in order, to construct one big string (key1 +
value1 + key2 + value2 + ... ). • Sign that string using HMAC-‐SHA1 and your secret access key.
AWS Signature -‐ 2
• You include additional components of the request in the string to sign • You include the query string control parameters (the equals signs and ampersands) in the
string to sign • You sort the query string parameters using byte ordering • You URL encode the query string parameters and their values before signing the request • You can use HMAC-‐SHA256 when you sign the request (we prefer HMAC-‐SHA256, but we still
support HMAC-‐SHA1) • You must set the SignatureMethod request parameter to either HmacSHA256 or HmacSHA1
to indicate which signing method you're using • You must set the SignatureVersion request parameter to 2
http://s3.amazonaws.com/doc/s3-‐developer-‐guide/RESTAuthentication.html
http://blog.programmableweb.com/2010/08/16/twitter-‐basic-‐auth-‐will-‐truly-‐disappear-‐august-‐30/
Third-‐party applications are required to store the resource owner's credentials for future use, typically a password in clear-‐
text.
Servers are required to support password authentication, despite the security weaknesses created by passwords.
Third-‐party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited
subset of resources.
Resource owners cannot revoke access to an individual third-‐party without revoking access to all third-‐parties, and must do
so by changing their password.
Compromise of any third-‐party application results in compromise of the end-‐user's password and all of the data
protected by that password.
http://www.flickr.com/services/api/misc.userauth.html
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html
• Complexity in validating and generating signatures. • No clear separation between Resource Server and
Authorization Server. • Browser based re-‐redirections.
BasicAuth
OAuth Handshake
BasicAuth
OAuth Handshake
Runtime
Runtime
Bearer MAC
Runtime
Bearer MAC
Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).
Bearer
Request with Bearer
GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer “access_token_value”
Runtime
http://tools.ietf.org/html/draft-‐ietf-‐oauth-‐v2-‐bearer-‐20
Runtime
Bearer MAC
HTTP MAC access authentication scheme
MAC
Request with MAC
GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8",
ts="1336363200" nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE="
Runtime
http://tools.ietf.org/html/draft-‐ietf-‐oauth-‐v2-‐http-‐mac-‐01
top related