1.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Deconstructing REST
Security
David Blevins
Tomitribe

2.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
“The nice thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum

3.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Focus Areas
• Beyond Basic Auth
• Theory of OAuth 2.0
• Introduction of JWT
• Google/Facebook style API security
• Stateless vs Stateful Architecture
• HTTP Signatures
• Amazon EC2 style API security

4.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Baseline
1000 users
x 3 TPS
4 hops
3000 TPS
frontend
12000 TPS
backend

5.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Basic Auth
(and its problems)

6.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}

7.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
(no auth)
3000 TPS
(LDAP)
12000 TPS
(HTTP)

8.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
username+password
Base64
15000 TPS
(LDAP)
Password Sent
12000 TPS
(HTTP)

9.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
IP
whitelisting
3000 TPS
(LDAP)
12000 TPS
(HTTP)

10.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
“Hey, give me all
of Joe’s salary
information.”
“I don’t know
who you are,
…
but sure!”

11.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Latveria Attacks

12.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Basic Auth - Attacks
Valid
Password Sent
3000 TPS
(HTTP+SSL) IP
whitelisting
9000 TPS
(LDAP)
12000 TPS
(HTTP)
Invalid
Password Sent
6000 TPS
(HTTP+SSL)

13.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
OAuth 2.0
(and its problems)

14.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG

15.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG

16.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG

17.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG

18.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 - Password Grant
(LDAP)
(Token Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
Verify
Password
Generate
Token

19.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/object HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"r":0,"g":0,"b":255,"name":"blue"}}

20.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

21.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

22.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

23.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/stroke HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":255,"g":200,"b":255,"name":"orange"}}

24.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
401

25.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Password
Generate
Token
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}

26.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Old pair
• Access Token 2YotnFZFEjr1zCsicMWpAA
• Refresh Token tGzv3JOkF0XG5Qx2TlKWIA
New pair
• Access Token 6Fe4jd7TmdE5yW2q0y6W2w
• Refresh Token hyT5rw1QNh5Ttg2hdtR54e

27.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

28.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

29.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

30.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
What have we achieved?

31.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
You have more passwords
(at least your devices do)

32.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Term Alert
• Password Grant???
• Logging in
• Token?
• Slightly less crappy password
• Equally crappy HTTP Session ID

33.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend

34.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG

35.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
“Who the heck
is
6Fe4jd7TmdE5y
W2q0y6W2w
???????”
“No idea, dude.
Ask the token
server.”

36.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend

37.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend
55% of all traffic

38.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisting
0 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
0 TPS
(token checks)
0 hops
0 TPS
backend

39.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2
Pointer Pointer
State

40.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Access Token
Access Pointer?
Access Primary Key?

41.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
OAuth 2.0
High Frequency Password
Exchange Algorithm?

42.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Problem: how to detect if a file's
contents have changed?

43.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Hashing and Signing
Symmetric and Asymmetric

44.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Hashing Data

45.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
01010000010001000011011011101000110101001001100001010011110000
00111010101111111111111111000101111101001110111000100010000000000
111111101011100001001100100000101011111001101111111100111011000011
111011001101100100000101011110011001100001011011110101110110001

46.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
01010000010001000011011011101000110101001001100001010011110000
00111010101111111111111111000101111101001110111000100010000000000
111111101011100001001100100000101011111001101111111100111011000011
111011001101100100000101011110011001100001011011110101110110001

47.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG More Bits the Better

48.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Hashing Data

49.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Hashing Data

50.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Hashing Data

51.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Hashing Data

52.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Eagles beat Patriots 41 to 33

53.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Eagles beat Patriots 41 to 33

54.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Eagles beat Patriots 41 to 34

55.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Protecting the Hash
HMAC (Symmetric)
RSA (Asymmetric)
abc123 abc123
private
public

56.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG HMAC (Symmetric)
Read &
Write
Read
& Write
Shared and equal relationship

57.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG RSA (Asymmetric)
Write
Read
Read
Read
One side has more authority
* the reverse is possible

58.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Distributed Read-Only Data
Can Write
Read
Read
Read
Data
Encrypted
Hash of Data

59.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
How many RSA keys does
Susan need to sign
1,000,000
documents?

60.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
one

61.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
OAuth 2.0
+
JSon Web Tokens (JWT)

62.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expiration

63.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG • { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv
0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl
LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

64.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expiration
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone

65.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Access Token Previously
• 6Fe4jd7TmdE5yW2q0y6W2w

66.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi
10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb
m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw
czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI
sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW
VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O
TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz
IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8
DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta
Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0
98ocefuv08TdzRxqYoEqYNo

67.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Subtle But High Impact
Architectural Change

68.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
What we had
(quick recap)

69.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Pull User Info
From IDP

70.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Generate an
Access Token
(pointer)

71.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Insert both
into DB

72.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Send Access Token (pointer)
to client

73.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Results
Client Holds Pointer Server Holds State

74.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
What we can do now
(Hello JWT!)

75.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Pull User Info
From IDP

76.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Format the data
as JSON

77.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
RSA-SHA 256
sign JSON private

78.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Insert only
pointer
into DB
(for revocation)

79.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
(LDAP)
Send Access Token (state)
to client

80.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Client Holds State Server Holds Pointer
Desired
Results

81.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}

82.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2.0 Message with JWT
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

83.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
(30 minute expiration)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verification)
12000 TPS
(signature verification)(private key)
(public key)

84.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
“Hey, give me all
of Joe’s salary
information.”
“Not a chance!”

85.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
“Hey, give me all
of Joe’s salary
information.”
“Sure thing!”
Every Microservice Has the Gateway's Public Key

86.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Latveria Attacks
(again)

87.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
(signature verification)
12000 TPS
(signature verification)
Invalid
Tokens Sent
6000 TPS
(HTTP+SSL)
(private key)
(public key)

88.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
HTTP Signatures
(Amazon EC2 style API Security)

89.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves identity
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Draft
• https://tools.ietf.org/html/draft-cavage-http-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT

90.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Take the full http
message

91.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Select the parts
you want to protect

92.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
(request-target): POST /painter/color/palette
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Create a
Signing String

93.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
(request-target): POST /painter/color/palette
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Hash the string
(sha256 shown)

94.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Encrypt the hash
(hmac shown)
j050ZC4iWDW40nVx2oVwBEymX
zwvsgm+hKBkuw04b+w=

95.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
Signature
keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Put it all together

96.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signed Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Signature keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

97.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signature Auth
Password Sent
0 TPS
(HTTP)
Signature (no auth)
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

98.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signature Auth
Password Sent
0 TPS
(HTTP)
Signature Signature
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

99.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
“Hey, give me all
of Joe’s salary
information.”
“Hey, Larry!
Sure!”
Issue Returns
(bad)

100.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
OAuth 2.0 Proof-of-Possession
(JWT + HTTP Signatures)

101.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
Key Value
Identity Information
(JWT)
Key ID
Proof Of Identity
(HTTP Signature)

102.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "access-token",
"username": "snoopy",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": ["twitter”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF
XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token

103.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "pop",
"cnf":{ "kid": "green-1234" }
"username": "snoopy",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": ["twitter”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF
XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token

104.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M
TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2",
"token_type":"pop",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5
jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M",
"key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ
2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1
MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS
ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W
WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ
PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd
2ZzIiwiYWxnIjoiSFMyNTYifQ"
}
Generate
HMAC
Key
(Key Store)

105.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG JSON Web Key (encoded)
eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ut
eXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1M
FdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZ
WlSci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQ
RVd5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53N
XhzczhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2Nid
kRocmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ

106.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG JSON Web Key (decoded)
{ "kty": "oct",
"use": "sig",
"kid": "orange-1234",
"k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW
THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j
JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs
s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c
wfs",
"alg": "HS256"
}

107.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signed OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Bearer:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h
bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t
L2
9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO
DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY
O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl
xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

108.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG OAuth 2 + JWT + Signatures
Tokens+Signatures Sent
3000 TPS
(HTTP safe)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+TLS)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verification)
12000 TPS
(signature verification)

109.
#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG
https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution
Specification Reference

110.
@dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Identity Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implications
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future

111.
Thank You
Slides & Gateway Sign-up
https://tribestream.io/boulderjug2018
#RESTSecurity
Boulder JUG