O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

IBM Index Conference - 10 steps to build token based API Security

514 visualizações

Publicada em

"10 steps to build token based API Security" is a presentation about building robust token systems for protecting APIs. This was presented as part of Index Conference.

Publicada em: Software
  • Seja o primeiro a comentar

IBM Index Conference - 10 steps to build token based API Security

  1. 1. Ten steps for Token based API Security Senthilkumar Gopal
  2. 2. @sengopal | IndexConf2018 ACME Fort Knox Web Application Browser Traffic Limiter Bot Check CSRF INPUT SANITIZER MODEL TRANSFORM APPLICATION LOGIC
  3. 3. @sengopal | IndexConf2018 A Hero’s (‘real’) story Expose APIs for 3rd Parties
  4. 4. @sengopal | IndexConf2018 ACME (Not) Fort Knox Web Application API Server Browser Traffic Limiter Bot Check CSRF Input Sanitizer Model Transform Application Logic CRUD Operations
  5. 5. @sengopal | IndexConf2018
  6. 6. @sengopal | IndexConf2018 A Hero’s (‘real’) story
  7. 7. @sengopal | IndexConf2018 Web Application vs. APIs “But no one else knew about the API server “
  8. 8. @sengopal | IndexConf2018 First Principles APIs are … Intended to serve machines instead of real users Closer to Object Data Model
  9. 9. @sengopal | IndexConf2018 Example of Web Application vs. APIs
  10. 10. @sengopal | IndexConf2018 Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples
  11. 11. @sengopal | IndexConf2018 I need an ‘expert’
  12. 12. @sengopal | IndexConf2018 Delegated Authentication Delegated Authorization Client Revocability User Control Code @ http://bit.ly/ebay-oauth How to protect them? By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066
  13. 13. STEP 1 Embrace the standards
  14. 14. @sengopal | IndexConf2018 Typical API Security Workflow ResourceAuthentication Authorization Rate Limiting Proxy Resource Cache Request
  15. 15. @sengopal | IndexConf2018 Why “Authentication" is important? @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Authorization Rate Limiting fs.setPath(“/hi") .requestRateLimiter(RedisRateLimiter.args(2, 4)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
  16. 16. STEP 2 Maintain an extensible token architecture
  17. 17. @sengopal | IndexConf2018 “If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source
  18. 18. @sengopal | IndexConf2018 What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.”
  19. 19. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  20. 20. @sengopal | IndexConf2018 Entities User Entity Application Entity
  21. 21. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  22. 22. @sengopal | IndexConf2018 Cryptography 101 server private e32d140bc54d public client
  23. 23. STEP 3 Learn the nuances of Cryptography
  24. 24. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” What is a token?
  25. 25. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  26. 26. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  27. 27. @sengopal | IndexConf2018 LifeCycle - Application Registered App Developer Active Blocked Retired Generate tokens
  28. 28. @sengopal | IndexConf2018 LifeCycle - Tokens User Consent App Developer Refresh Token Access token Resource API Access Token Consent Revoked Tokens Revoked
  29. 29. @sengopal | IndexConf2018 Fitting it all together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token
  30. 30. @sengopal | IndexConf2018 LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived
  31. 31. STEP 4 Learn Live the nomenclature
  32. 32. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  33. 33. @sengopal | IndexConf2018 Structure ebay AgAAAA**AQAAAA**aAAAAA**E6+EWg**nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs ya29.GltiBRICgroWhf0XJ- e4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v google facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/ * Tokens edited for brewity
  34. 34. @sengopal | IndexConf2018 Structure https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/ JWT Are there any standards? Is it just a random string? SAML
  35. 35. @sengopal | IndexConf2018 Structure - JWT https://jwt.io/
  36. 36. STEP 5 Choose the token format wisely (standards)
  37. 37. @sengopal | IndexConf2018 Structure - JWT https://jwt.io/ What goes in the claim?
  38. 38. @sengopal | IndexConf2018 Structure - What goes in the claim? Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token Everything!
  39. 39. @sengopal | IndexConf2018 Structure - Why everything? User entity App entity issuer issueAt Photo by Jennifer Pallian on Unsplash Service APIs tokens Web Apps cookies IS SAME AS expiresAt deviceIdentifier trackingId …
  40. 40. @sengopal | IndexConf2018 Structure - Versioning User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, ….
  41. 41. STEP 6 Capture every identifier possible and use versions
  42. 42. @sengopal | IndexConf2018 Master! Am I ready yet ? No! One more important step Photo by DeviantArt
  43. 43. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  44. 44. @sengopal | IndexConf2018 Security Photo by Samuel Zeller on Unsplash Integrity Verified { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } JWT - Claim Missing Confidentiality Revocation
  45. 45. @sengopal | IndexConf2018 Security By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } By Value { “ref”:” AgAAAA**AQAAAA**aAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” }
  46. 46. @sengopal | IndexConf2018 Security Integrity Verified Integrity Verified Confidential Custom format * Persisted By ReferenceBy Value
  47. 47. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS AUDIT async App Metadata Server
  48. 48. @sengopal | IndexConf2018 Persistence - Considerations Atomic & Strong Consistency New Token Generation of new token Token Revocation *
  49. 49. @sengopal | IndexConf2018 Persistence - Considerations Eventually Consistent User - token Association Cache duplication
  50. 50. STEP 7 Identify transactional needs
  51. 51. @sengopal | IndexConf2018 Performance “Premature optimization is the root of all evil” - Donald Knuth Identify Hot spots Caching in Couchbase
  52. 52. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async App Metadata Server
  53. 53. STEP 8 Use caching to get optimal performance
  54. 54. @sengopal | IndexConf2018 OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference
  55. 55. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async User & Risk Systems App Metadata Server
  56. 56. STEP 9 Audit all access patterns
  57. 57. @sengopal | IndexConf2018 Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry ….
  58. 58. STEP 10 Automate Everything
  59. 59. @sengopal | IndexConf2018 And the 10 steps are …. Embrace the standards Extensible token architecture Nuances of Cryptography Learn the nomenclature Correct token format All identifiers & versioning Identify transactional needs Use caching Audit all access patterns Automate Everything
  60. 60. Thank You! http://sengopal.me Tweets @sengopal Experimental Code @ http://bit.ly/ebay-oauth

×