SlideShare a Scribd company logo

IT-Security@Contemporary Life

Oliver Pfaff
Oliver Pfaff

Digests some of this year’s essentials. Things are likely to be encountered in the next years too – we live in interesting times!

Technology
1 of 28
IT-SECURITY @Contemporary Life December 20, 2013 Oliver Pfaff
Use Case: Car-as-Callee What Is It About? ? ▶ ▶ ▶ ▶ ▶ ▶ Use cases Blow horn, flash lights, Get location, Get energy status, Get/change temp, Open/close doors, … Dec 2013 Questions ▶ What happens between mobiles and cars – IT-security/IAM? ▶ For which reasons? ▶ … 3
Use Case: Car-as-Caller What Is It About? ? ▶ ▶ ▶ ▶ ▶ ▶ Use cases Get personal news, Hear blog posts, Listen my music, Post to Facebook walls, Read tweets, … Dec 2013 Questions ▶ As for car-as-callee 4
Protecting Web-Based Services Key Question: Is Classical Web Security Enough? Web UI endpoints e.g. www.facebook.com Web browser Mobile browser Browserbased apps Mobile apps Composite applications Dec 2013 Provider of Web-based services e.g.  Classical Web security ▶ Application: form-based login ▶ HTTP: SSO session cookies ▶ Transport: SSL/TLS Web API endpoints e.g. graph.facebook.com … ? Classical Web security ▶ Application: form-based login ▶ HTTP: SSO session cookies ▶ Transport: SSL/TLS 5
Web-Based Services How Does the Web Evolve? XYZ Mobile browser HTTP Web browser XML,JSON Browser-based apps XML,JSON The Web we are familiar with HTML,XML,JSON HTML User IoT HTML Web application Web container SQL (or…) Database (or directory…) Mobile apps XML,JSON Composite applications 1995 2000 2005 2010 Things-backed Read/write aka Mobile browsers/apps, Database-backed applications Web 2.0, AJAX clients Composite applications applications, desktop browsers, read-only Dec 2013 6
Internet-of-Things Cornerstones to this Expansion Web/REST APIs: expose functionality for programmatic consumption by others via Web  allowing others to add value Mobile: smart-phones/tablets are the preferred user-devices  defines the mode of access: via general-purpose devices from Internet Social: users already signed-up&in at Facebook, Google, Twitter etc.  social providers are co-actors when delivering SSO user experience Dec 2013 7
One User=One Account But With Multiple Credentials Level of authentication assurance Asymmetric One-time password Step-up authn Re-authn Open/close door Static password Persisted login Social provider Anonymous Dec 2013 Step-up authn Re-authn Get energy balance Re-authn Virtual garage: store car config Selfasserted Social provider Trusted Successful Address verification transactions introducers Level of identity assurance 8
Use Case: Car-as-Callee Which Trick to Do? Public-facing Web API endpoints e.g. api.mycompany.com Web application Resources User Mobile Enter credentials app once Access one Web application in subsequent app sessions ▶ Event: – User accesses a Web application with her/his mobile app (tablet/smart phone) – Recurring requests to this Web application in subsequent app sessions ▶ Goal: persistent login – One user login allows to access a Web application in various mobile app sessions ▶ Example: login once to GMail mobile app - access GMail for a period of time Dec 2013 9
Use Case: Car-as-Callee Chickens - Birds that Do Not Fly ▶ IT-security: rely on single credential (typically a username/password-tuple) – Lost device: for usability reasons mobile apps would store the credentials. This presents an attack surface when mobile devices get lost – Race condition: if such attacks succeed the user identity can be taken over (password change by attacker) – Recipe: • Use initial authentication credentials (e.g. username/password) to create subordinate, inherited credentials (login tokens) stored in mobile apps. • Provide revocation endpoints for login tokens - protected by initial authentication or other superordinate credentials ▶ IAM: coin an own session handling for persisted login (protocol/infrastructure) – API anti-pattern: before 2012 (OAuth 2.0, RFC 6749) proprietary protocols and infrastructure were needed to do this trick – increases overall integration complexity (#n APIs  #n security realizations), repelling the external developer community Dec 2013 10
Use Case: Car-as-Callee New Web Security Standard: OAuth-2 Parties Revocation endpoint Token endpoint Post <user creds> (or refresh_token) Token store access/refresh_token refresh_token User store TokenInfo endpoint Device store Security APIs Resource endpoint Business APIs Post,Get,Put/Patch,Delete with access_token API consumer Resource API provider Dec 2013 11
Use Case: Car-as-Caller Which Trick to Do? User agent Public-facing Web API endpoints e.g. graph.facebook.com User A User agent User B Web application Resources composite.mycompany.com … User agent UserZ Composite application Authenticates A,B…Z Authenticates composite app Owned by consumer user B ▶ Event: – A Web application provides access to user-owned resources – It is called by other applications acting on behalf of users (called composite applications) ▶ Goal: user-managed access – Resource owner retains control of whom may access her/his resources ▶ Example: third-party application posts to user’s Facebook wall Dec 2013 12
Use Case: Car-as-Caller Chickens - Birds that Do Not Fly ▶ IT-security: rely on 2-party authentication contexts – Provide user credentials to third-parties (here: composite applications) which authenticate themselves as users – anti-pattern – Use client credentials of composite applications only • API consumers (here: composite applications) authenticate users - okay • API providers authenticate API consumers - okay • API providers trust API consumers to make “I ask for John Doe” requests only when John Doe is asking to do so – in many cases not good enough ▶ IAM: use enterprise authorization machinery (EIAM products) – Utilize long-lived authorization policy objects established a-priori and managed out-of-band (from the browsing sessions of users) Dec 2013 13
Use Case: Car-as-Caller New Web Security Standard: OAuth-3 Parties Get <clientID, scope> (establish authn/authz) User Authz endpoint Redirect with code Redirect with clientID, scope Get <code> Post <client creds,code> access_token Composite application API consumer Dec 2013 Token endpoint TokenInfo endpoint User store Token store Client store Security APIs Post,Get,Put/Patch,Delete with access_token Resource Resource endpoint Business APIs API provider 14
The Trick Behind these Tricks New Web Security Protocols Facilitate Decoupling ▶ Some Web API use cases have no adequate coverage in classical Web security – Mobile app authentication - persisted login (cf. car-as-callee) – Resource access authorization – in presence of intermediaries (cf. car-as-caller) ▶ For others where alternatives exist: uniform security enforcement for various API protection use cases. Following working schedule applies: Post, Get, Put/Patch, Delete… /resource no OAuth token Is resource protected? Yes Is OAuth token present? HTTP 401 Unauthorized No Post, Get, Put/Patch, Delete… /resource with OAuth token Is token valid? Get token metadata Get /tokeninfo for OAuth token HTTP 200 OK <tokenMetadata incl. validity> Standardization ongoing Okay (else: HTTP 401 Unauthorized) HTTP 200 OK/201 Created <Resource> Dec 2013 Does request match token metadata? Okay (else: HTTP 401 Unauthorized) RFC 6750 15
Protecting Web-Based Services Revised Web UI endpoints e.g. www.facebook.com Web browser Mobile browser Browserbased apps Mobile apps Composite applications Dec 2013 Provider of Web-based services e.g.  Classical Web security ▶ Application: form-based login ▶ HTTP: SSO session cookies ▶ Transport: SSL/TLS Web API endpoints e.g. graph.facebook.com  … New Web security ▶ Application: OAuth services ▶ HTTP: OAuth tokens ▶ Transport: SSL/TLS 16
Use Case: Car-as-Callee Best Current Practice 1. Authn 2. Get VINs/ vehicles 3. Select car 4. Do things remotely… Public networks Car connect infrastructure Web API infrastructure 6. Instruction msg to IMSI 5. Backend operation with VIN VINs Identity store User<X>: userid, password, VINs… Vehicle object 7. Get details IMSI VPN Embedded communication endpoint CRM store Vehicle<Y>: VIN IMSI… User/car pairing via VIN. Managed by maker (CRM application) and/or owners (portal) - subject to applicable contract/security means Dec 2013 17
Provider of Web UI Web-based endpoints e.g. services e.g. www.facebook.com Wide-area Gateway (data center) Integrated mobile browser (smart-phone as modem) New Web security Classical Web security Use Case: Car-as-Caller Current Practices Nearfield Wide-area Head unit Mobile app (OTS) integration Web API endpoints e.g. graph.facebook.com … Wide-area Vendor-specific device app (smart-phone as modem) Dec 2013 Composite application (data center) 18
Conclusion We Live in Interesting Times ▶ Everything is changing – new use case require new approaches: – IT-security: classical Web security is no full answer for new use cases around social, mobile, IoT and Web APIs  New suite of Web security mechanisms: OAuth (IETF), OIDC (OIDF), JOSE (IETF), UMA (Kantara)… – IAM: old-school EIAM also is no full answer for them  New cases (consumer users), entities (devices/things…) and concepts (relationship management)… ▶ OAuth is the leader of ‘new Web security’ - but is also a whole zoo in itself: – OAuth 2.0 additions turn the special-purpose tool OAuth 1.x into a Swiss-knife  Confusion is omnipresent – OAuth is a framework many options that leaves many decisions to implementers  ‘New Web security’ solutions come in many colors and flavors ▶ This already is real - not abstract/academic – and will become pervasive – Security services/infrastructure delivered by OAuth endpoints can be adopted by environments that do not use HTTP as their native protocol Dec 2013 19
Author Oliver Pfaff, oliver.frank.pfaff@gmail.com Dec 2013 20
Abbreviations AJAX API Authn Authz CIAM CRUD EIAM IAM IdM IMSI IoT JOSE JSON JWT OAuth OIDC OIDF OTS Dec 2013 Asynchronous JavaScript and XML Application Programming Interface Authentication Authorization IAM for Consumer users Create/Read/Update/Delete IAM for Enterprise users Identity and Access Management Identity Management International Mobile Subscriber Identity Internet of Things Javascript Object Signing and Encryption Java Script Object Notation JSON Web Token Open Authorization OpenID Connect OpenID Forum Off-The-Shelf REST ROPC SAML SOAP SSO UA4C UI UMA VIN VPN XML Representational State Transfer Resource Owner Password Credentials Security Assertion Markup Language Simple Object Access Protocol Single-Sign-On User Authentication for Clients User Interface User Managed Access Vehicle Identification Number Virtual Private Network eXtensible Markup Language 21
Further Information ▶ Bertocci, Vittorio: OAuth 2.0 and Sign-In. Blog 2013 ▶ Bray, Tim: How to Think About OAuth. Blog 2013 ▶ Fielding, Roy: Architectural Styles and the Design of Network-based Software Architectures. PhD Thesis. University of California, Irvine, 2000. ▶ Glazer, Ian: Killing Identity Management in Order to Save It. YouTube 2013 ▶ Hunt, Phil: OAuth: Does It Authorize? Blog 2011 ▶ Jones, Mike: The Emerging JSON-Based Identity Protocol Suite. Paper - W3C Workshop on Identity in the Browser 2011 ▶ Kiani, Khash: OAuth-Securing the Insecure. Presentation 2011 ▶ Madsen, Paul: Mobile Native App-OAuth Decision Framework. Presentation 2011 ▶ N.N.: BMW to have 10M connected cars in 5 years. Heads-up 2013 ▶ Pautasso, Cesare; Zimmermann, Olaf; Leymann, Frank: RESTful Web Services vs. “Big” Web Services: Making the Right Architectural Decision. Proc. of the 17th International World Wide Web Conference, Bejing, 2008. ▶ Richer, Justin: Auth* in the Extended Enterprise. Presentation - MIT Legal HackA-Thon 2013 ▶ Web API directory: http://www.programmableweb.com/apis/directory ▶ Yegge, Steve: Stevey's Google Platforms Rant. Posting 2011 Dec 2013 22
About Web/REST APIs Web     APIs: Programmatic interface to a remote IT-system Exposed for consumption across wide-area networks Accessed by means of HTTP Request/response contents expressed as JSON or XML REST:  Architectural style for Web APIs  Utilizes HTTP to deliver CRUD operations for arbitrary abstractions; without alien protocols such as SOAP Examples:  Amazon Web Services, Facebook, Force.com, Google, Twitter, Yahoo  Many more, cf. programmableweb.com for a directory of Web APIs Dec 2013 23
Anatomy of Web/REST APIs CREATE – HTTP Post In: URL, headers, JSON/XML Out: JSON/XML READ – HTTP Get In: URL, headers Out: JSON/XML UPDATE – HTTP Patch/Put Browser-based/ mobile apps, composite applications Web API endpoint (e.g. servlet) In: URL, headers, JSON/XML Out: JSON/XML DELETE – HTTP Delete In: URL, headers Out: n.a. CREATE – HTTP Post In: URL, headers, keywords/values Out: HTML Web/mobile browsers Dec 2013 READ – HTTP Get In: URL, headers Out: HTML Web UI endpoint (e.g. servlet, JSP, JSF) 24
API Initiatives in Automotive ▶ Published APIs: – SDK esp. JavaScript APIs and/or Web APIs: • Ford Vehicle API • Genivi Web API Vehicle • GM Vehicle API • Tizen (Intel) Vehicle API • QNX Automotive API • Webinos (BMW et al.) Vehicle API – Cf. W3C for API initiatives in automotive ▶ Unpublished APIs‎ : – Various Dec 2013 25
Taxonomy of Web Applications Web application (e.g. war file) Web API Web UI Multi-user API client Single-user API client Property Value Property Value Property Value Consumers Web/mobile browsers Consumers Browser-based apps/mobile apps Consumers Composite applications Programmatic access No Programmatic access Yes Programmatic access Yes Caller serves multiple users No Caller serves multiple users No Caller serves multiple users Yes HTTP methods Post/Get HTTP methods Request content application/xwww-formurlencoded Post/Get/Put/ Patch/Delete etc. HTTP methods Post/Get/Put/ Patch/Delete etc. Request content application/json or xml Request content application/json or xml Response content application/xhtml +xml, text/html etc. Response content application/json or xml Response content application/json or xml Dec 2013 26
Types of Web Application Clients ▶ Web/mobile browsers – Provided as classical software installations resp. in app stores – Run as standalone applications on desktops/laptops (e.g. Chrome, Firefox, IE, Safari) or tablets/smartphones (e.g. Chrome, Firefox mobile, IE Mobile, Safari) – Serve single users, allow to access arbitrary servers on the Web ▶ Browser-based apps – Downloaded from Web applications (scripts in source form) – Executed in Web browsers e.g. AJAX client for GMail access – Serve single users, allow to access a dedicated servers on the Web ▶ Mobile apps – Provided in app stores (binary form) – Run as standalone applications on tablets or smart-phones e.g. GMail app – Serve single users, allow to access a dedicated servers on the Web ▶ Composite applications aka Web server-based apps – Provided by services on the Web – Run in Web or application servers e.g. USPS Tracking (US Postal Service/ Google Maps APIs) – Serve a whole user population, utilize other downstream Web applications Dec 2013 27
OAuth 2.0 Clients Taxonomy Web client vs. OAuth Grant Types Browser-based app Mobile app Composite app Authorization code - (client is public) - (client is public) ☺ Implicit ☺ ☺ - ROPC ☺ ☺ - Client credentials - (client is public) - (client is public) ☺ Refresh token ☺ (via ROPC) ☺ (via ROPC) ☺ (via authorization code) JWT/SAML bearer token/assertion ☺ ☺ ☺ Custom N.a. N.a. N.a. Note: Web browsers can not act as OAuth clients (for ROPC they could post OAuth token requests if supported by adequate forms but can not render responses; additional deltas apply for other grant types) Dec 2013 28
OAuth 2.0 Clients Best Current Practice Example Google APIs Web client vs. OAuth Grant Types Browserbased app Mobile app Composite app Authorization code - OAuth 2.0 for OAuth 2.0 for Web Installed Applications* Server Applications Implicit OAuth 2.0 for Client-side Applications - - ROPC - - - Client credentials - - - Refresh token - Via authorization code, custom Via authorization code JWT/SAML bearer token/assertion - - OAuth 2.0 for Server to Server Applications Custom - OAuth 2.0 for Devices - *: Requires that the application has access to the system browser or the ability to embed a browser control in the application. Does not match RFC 6749 which classifies mobile apps as public clients which are expected to employ the implicit grant rather than the authorization code grant Dec 2013 29

Recommended

Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
Oliver Pfaff
 
Access management
Access managementAccess management
Access management
Venkatesh Jambulingam
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' security
SecuRing
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
Adam Lewis
 

Recommended

Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
Oliver Pfaff
 
Access management
Access managementAccess management
Access management
Venkatesh Jambulingam
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Internet banking applications' security
Internet banking applications' securityInternet banking applications' security
Internet banking applications' security
SecuRing
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
Adam Lewis
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
iphonepentest
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
Olivier Potonniée
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
Will Tran
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
Volkan Uzun
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
Nick Owen
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
Ping Identity
 
Identity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationIdentity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital Transformation
Uthaiyashankar
 
Content Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortalsContent Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortals
Axway
 
Android attacks
Android attacksAndroid attacks
Android attacks
Blueinfy Solutions
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
Koenig Solutions Ltd.
 
Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud Strategy
Uthaiyashankar
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
Giuseppe La Torre
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open Standards
CloudIDSummit
 

More Related Content

What's hot

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
Nick Owen
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 

What's hot (20)

Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
 
Identity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationIdentity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital Transformation
 
Content Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortalsContent Strategy and Developer Engagement for DevPortals
Content Strategy and Developer Engagement for DevPortals
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
 
Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud Strategy
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 

Similar to IT-Security@Contemporary Life

SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
Giuseppe La Torre
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Aduci
 
Cloud-enabling the Next Generation of Mobile Apps
Cloud-enabling the Next Generation of Mobile AppsCloud-enabling the Next Generation of Mobile Apps
Cloud-enabling the Next Generation of Mobile Apps
Nick Landry
 
Google cloud platform
Google cloud platformGoogle cloud platform
Google cloud platform
rajdeep
 
Fanug - Pragmatic Windows Phone Developer
Fanug - Pragmatic Windows Phone DeveloperFanug - Pragmatic Windows Phone Developer
Fanug - Pragmatic Windows Phone Developer
Sam Basu
 
TheWriteId > components
TheWriteId > componentsTheWriteId > components
TheWriteId > components
Tim De Coninck
 

Similar to IT-Security@Contemporary Life (20)

SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open Standards
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
Cloud-enabling the Next Generation of Mobile Apps
Cloud-enabling the Next Generation of Mobile AppsCloud-enabling the Next Generation of Mobile Apps
Cloud-enabling the Next Generation of Mobile Apps
 
IBM Mobile foundation overview
IBM Mobile foundation overviewIBM Mobile foundation overview
IBM Mobile foundation overview
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Make Good Apps great - Using IBM MobileFirst Foundation
Make Good Apps great - Using IBM MobileFirst FoundationMake Good Apps great - Using IBM MobileFirst Foundation
Make Good Apps great - Using IBM MobileFirst Foundation
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Google cloud platform
Google cloud platformGoogle cloud platform
Google cloud platform
 
Blockchain Based Car Rental App
Blockchain Based Car Rental AppBlockchain Based Car Rental App
Blockchain Based Car Rental App
 
Fanug - Pragmatic Windows Phone Developer
Fanug - Pragmatic Windows Phone DeveloperFanug - Pragmatic Windows Phone Developer
Fanug - Pragmatic Windows Phone Developer
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015
 
The future of the web with HTML5
The future of the web with HTML5The future of the web with HTML5
The future of the web with HTML5
 
TheWriteId > components
TheWriteId > componentsTheWriteId > components
TheWriteId > components
 
Telematics Engineering
Telematics Engineering Telematics Engineering
Telematics Engineering
 

More from Oliver Pfaff

Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
Oliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
Oliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
Oliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
Oliver Pfaff
 

More from Oliver Pfaff (15)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

IT-Security@Contemporary Life

  • 2. Use Case: Car-as-Callee What Is It About? ? ▶ ▶ ▶ ▶ ▶ ▶ Use cases Blow horn, flash lights, Get location, Get energy status, Get/change temp, Open/close doors, … Dec 2013 Questions ▶ What happens between mobiles and cars – IT-security/IAM? ▶ For which reasons? ▶ … 3
  • 3. Use Case: Car-as-Caller What Is It About? ? ▶ ▶ ▶ ▶ ▶ ▶ Use cases Get personal news, Hear blog posts, Listen my music, Post to Facebook walls, Read tweets, … Dec 2013 Questions ▶ As for car-as-callee 4
  • 4. Protecting Web-Based Services Key Question: Is Classical Web Security Enough? Web UI endpoints e.g. www.facebook.com Web browser Mobile browser Browserbased apps Mobile apps Composite applications Dec 2013 Provider of Web-based services e.g.  Classical Web security ▶ Application: form-based login ▶ HTTP: SSO session cookies ▶ Transport: SSL/TLS Web API endpoints e.g. graph.facebook.com … ? Classical Web security ▶ Application: form-based login ▶ HTTP: SSO session cookies ▶ Transport: SSL/TLS 5
  • 5. Web-Based Services How Does the Web Evolve? XYZ Mobile browser HTTP Web browser XML,JSON Browser-based apps XML,JSON The Web we are familiar with HTML,XML,JSON HTML User IoT HTML Web application Web container SQL (or…) Database (or directory…) Mobile apps XML,JSON Composite applications 1995 2000 2005 2010 Things-backed Read/write aka Mobile browsers/apps, Database-backed applications Web 2.0, AJAX clients Composite applications applications, desktop browsers, read-only Dec 2013 6
  • 6. Internet-of-Things Cornerstones to this Expansion Web/REST APIs: expose functionality for programmatic consumption by others via Web  allowing others to add value Mobile: smart-phones/tablets are the preferred user-devices  defines the mode of access: via general-purpose devices from Internet Social: users already signed-up&in at Facebook, Google, Twitter etc.  social providers are co-actors when delivering SSO user experience Dec 2013 7
  • 7. One User=One Account But With Multiple Credentials Level of authentication assurance Asymmetric One-time password Step-up authn Re-authn Open/close door Static password Persisted login Social provider Anonymous Dec 2013 Step-up authn Re-authn Get energy balance Re-authn Virtual garage: store car config Selfasserted Social provider Trusted Successful Address verification transactions introducers Level of identity assurance 8
  • 8. Use Case: Car-as-Callee Which Trick to Do? Public-facing Web API endpoints e.g. api.mycompany.com Web application Resources User Mobile Enter credentials app once Access one Web application in subsequent app sessions ▶ Event: – User accesses a Web application with her/his mobile app (tablet/smart phone) – Recurring requests to this Web application in subsequent app sessions ▶ Goal: persistent login – One user login allows to access a Web application in various mobile app sessions ▶ Example: login once to GMail mobile app - access GMail for a period of time Dec 2013 9
  • 9. Use Case: Car-as-Callee Chickens - Birds that Do Not Fly ▶ IT-security: rely on single credential (typically a username/password-tuple) – Lost device: for usability reasons mobile apps would store the credentials. This presents an attack surface when mobile devices get lost – Race condition: if such attacks succeed the user identity can be taken over (password change by attacker) – Recipe: • Use initial authentication credentials (e.g. username/password) to create subordinate, inherited credentials (login tokens) stored in mobile apps. • Provide revocation endpoints for login tokens - protected by initial authentication or other superordinate credentials ▶ IAM: coin an own session handling for persisted login (protocol/infrastructure) – API anti-pattern: before 2012 (OAuth 2.0, RFC 6749) proprietary protocols and infrastructure were needed to do this trick – increases overall integration complexity (#n APIs  #n security realizations), repelling the external developer community Dec 2013 10
  • 10. Use Case: Car-as-Callee New Web Security Standard: OAuth-2 Parties Revocation endpoint Token endpoint Post <user creds> (or refresh_token) Token store access/refresh_token refresh_token User store TokenInfo endpoint Device store Security APIs Resource endpoint Business APIs Post,Get,Put/Patch,Delete with access_token API consumer Resource API provider Dec 2013 11
  • 11. Use Case: Car-as-Caller Which Trick to Do? User agent Public-facing Web API endpoints e.g. graph.facebook.com User A User agent User B Web application Resources composite.mycompany.com … User agent UserZ Composite application Authenticates A,B…Z Authenticates composite app Owned by consumer user B ▶ Event: – A Web application provides access to user-owned resources – It is called by other applications acting on behalf of users (called composite applications) ▶ Goal: user-managed access – Resource owner retains control of whom may access her/his resources ▶ Example: third-party application posts to user’s Facebook wall Dec 2013 12
  • 12. Use Case: Car-as-Caller Chickens - Birds that Do Not Fly ▶ IT-security: rely on 2-party authentication contexts – Provide user credentials to third-parties (here: composite applications) which authenticate themselves as users – anti-pattern – Use client credentials of composite applications only • API consumers (here: composite applications) authenticate users - okay • API providers authenticate API consumers - okay • API providers trust API consumers to make “I ask for John Doe” requests only when John Doe is asking to do so – in many cases not good enough ▶ IAM: use enterprise authorization machinery (EIAM products) – Utilize long-lived authorization policy objects established a-priori and managed out-of-band (from the browsing sessions of users) Dec 2013 13
  • 13. Use Case: Car-as-Caller New Web Security Standard: OAuth-3 Parties Get <clientID, scope> (establish authn/authz) User Authz endpoint Redirect with code Redirect with clientID, scope Get <code> Post <client creds,code> access_token Composite application API consumer Dec 2013 Token endpoint TokenInfo endpoint User store Token store Client store Security APIs Post,Get,Put/Patch,Delete with access_token Resource Resource endpoint Business APIs API provider 14
  • 14. The Trick Behind these Tricks New Web Security Protocols Facilitate Decoupling ▶ Some Web API use cases have no adequate coverage in classical Web security – Mobile app authentication - persisted login (cf. car-as-callee) – Resource access authorization – in presence of intermediaries (cf. car-as-caller) ▶ For others where alternatives exist: uniform security enforcement for various API protection use cases. Following working schedule applies: Post, Get, Put/Patch, Delete… /resource no OAuth token Is resource protected? Yes Is OAuth token present? HTTP 401 Unauthorized No Post, Get, Put/Patch, Delete… /resource with OAuth token Is token valid? Get token metadata Get /tokeninfo for OAuth token HTTP 200 OK <tokenMetadata incl. validity> Standardization ongoing Okay (else: HTTP 401 Unauthorized) HTTP 200 OK/201 Created <Resource> Dec 2013 Does request match token metadata? Okay (else: HTTP 401 Unauthorized) RFC 6750 15
  • 15. Protecting Web-Based Services Revised Web UI endpoints e.g. www.facebook.com Web browser Mobile browser Browserbased apps Mobile apps Composite applications Dec 2013 Provider of Web-based services e.g.  Classical Web security ▶ Application: form-based login ▶ HTTP: SSO session cookies ▶ Transport: SSL/TLS Web API endpoints e.g. graph.facebook.com  … New Web security ▶ Application: OAuth services ▶ HTTP: OAuth tokens ▶ Transport: SSL/TLS 16
  • 16. Use Case: Car-as-Callee Best Current Practice 1. Authn 2. Get VINs/ vehicles 3. Select car 4. Do things remotely… Public networks Car connect infrastructure Web API infrastructure 6. Instruction msg to IMSI 5. Backend operation with VIN VINs Identity store User<X>: userid, password, VINs… Vehicle object 7. Get details IMSI VPN Embedded communication endpoint CRM store Vehicle<Y>: VIN IMSI… User/car pairing via VIN. Managed by maker (CRM application) and/or owners (portal) - subject to applicable contract/security means Dec 2013 17
  • 17. Provider of Web UI Web-based endpoints e.g. services e.g. www.facebook.com Wide-area Gateway (data center) Integrated mobile browser (smart-phone as modem) New Web security Classical Web security Use Case: Car-as-Caller Current Practices Nearfield Wide-area Head unit Mobile app (OTS) integration Web API endpoints e.g. graph.facebook.com … Wide-area Vendor-specific device app (smart-phone as modem) Dec 2013 Composite application (data center) 18
  • 18. Conclusion We Live in Interesting Times ▶ Everything is changing – new use case require new approaches: – IT-security: classical Web security is no full answer for new use cases around social, mobile, IoT and Web APIs  New suite of Web security mechanisms: OAuth (IETF), OIDC (OIDF), JOSE (IETF), UMA (Kantara)… – IAM: old-school EIAM also is no full answer for them  New cases (consumer users), entities (devices/things…) and concepts (relationship management)… ▶ OAuth is the leader of ‘new Web security’ - but is also a whole zoo in itself: – OAuth 2.0 additions turn the special-purpose tool OAuth 1.x into a Swiss-knife  Confusion is omnipresent – OAuth is a framework many options that leaves many decisions to implementers  ‘New Web security’ solutions come in many colors and flavors ▶ This already is real - not abstract/academic – and will become pervasive – Security services/infrastructure delivered by OAuth endpoints can be adopted by environments that do not use HTTP as their native protocol Dec 2013 19
  • 20. Abbreviations AJAX API Authn Authz CIAM CRUD EIAM IAM IdM IMSI IoT JOSE JSON JWT OAuth OIDC OIDF OTS Dec 2013 Asynchronous JavaScript and XML Application Programming Interface Authentication Authorization IAM for Consumer users Create/Read/Update/Delete IAM for Enterprise users Identity and Access Management Identity Management International Mobile Subscriber Identity Internet of Things Javascript Object Signing and Encryption Java Script Object Notation JSON Web Token Open Authorization OpenID Connect OpenID Forum Off-The-Shelf REST ROPC SAML SOAP SSO UA4C UI UMA VIN VPN XML Representational State Transfer Resource Owner Password Credentials Security Assertion Markup Language Simple Object Access Protocol Single-Sign-On User Authentication for Clients User Interface User Managed Access Vehicle Identification Number Virtual Private Network eXtensible Markup Language 21
  • 21. Further Information ▶ Bertocci, Vittorio: OAuth 2.0 and Sign-In. Blog 2013 ▶ Bray, Tim: How to Think About OAuth. Blog 2013 ▶ Fielding, Roy: Architectural Styles and the Design of Network-based Software Architectures. PhD Thesis. University of California, Irvine, 2000. ▶ Glazer, Ian: Killing Identity Management in Order to Save It. YouTube 2013 ▶ Hunt, Phil: OAuth: Does It Authorize? Blog 2011 ▶ Jones, Mike: The Emerging JSON-Based Identity Protocol Suite. Paper - W3C Workshop on Identity in the Browser 2011 ▶ Kiani, Khash: OAuth-Securing the Insecure. Presentation 2011 ▶ Madsen, Paul: Mobile Native App-OAuth Decision Framework. Presentation 2011 ▶ N.N.: BMW to have 10M connected cars in 5 years. Heads-up 2013 ▶ Pautasso, Cesare; Zimmermann, Olaf; Leymann, Frank: RESTful Web Services vs. “Big” Web Services: Making the Right Architectural Decision. Proc. of the 17th International World Wide Web Conference, Bejing, 2008. ▶ Richer, Justin: Auth* in the Extended Enterprise. Presentation - MIT Legal HackA-Thon 2013 ▶ Web API directory: http://www.programmableweb.com/apis/directory ▶ Yegge, Steve: Stevey's Google Platforms Rant. Posting 2011 Dec 2013 22
  • 22. About Web/REST APIs Web     APIs: Programmatic interface to a remote IT-system Exposed for consumption across wide-area networks Accessed by means of HTTP Request/response contents expressed as JSON or XML REST:  Architectural style for Web APIs  Utilizes HTTP to deliver CRUD operations for arbitrary abstractions; without alien protocols such as SOAP Examples:  Amazon Web Services, Facebook, Force.com, Google, Twitter, Yahoo  Many more, cf. programmableweb.com for a directory of Web APIs Dec 2013 23
  • 23. Anatomy of Web/REST APIs CREATE – HTTP Post In: URL, headers, JSON/XML Out: JSON/XML READ – HTTP Get In: URL, headers Out: JSON/XML UPDATE – HTTP Patch/Put Browser-based/ mobile apps, composite applications Web API endpoint (e.g. servlet) In: URL, headers, JSON/XML Out: JSON/XML DELETE – HTTP Delete In: URL, headers Out: n.a. CREATE – HTTP Post In: URL, headers, keywords/values Out: HTML Web/mobile browsers Dec 2013 READ – HTTP Get In: URL, headers Out: HTML Web UI endpoint (e.g. servlet, JSP, JSF) 24
  • 24. API Initiatives in Automotive ▶ Published APIs: – SDK esp. JavaScript APIs and/or Web APIs: • Ford Vehicle API • Genivi Web API Vehicle • GM Vehicle API • Tizen (Intel) Vehicle API • QNX Automotive API • Webinos (BMW et al.) Vehicle API – Cf. W3C for API initiatives in automotive ▶ Unpublished APIs‎ : – Various Dec 2013 25
  • 25. Taxonomy of Web Applications Web application (e.g. war file) Web API Web UI Multi-user API client Single-user API client Property Value Property Value Property Value Consumers Web/mobile browsers Consumers Browser-based apps/mobile apps Consumers Composite applications Programmatic access No Programmatic access Yes Programmatic access Yes Caller serves multiple users No Caller serves multiple users No Caller serves multiple users Yes HTTP methods Post/Get HTTP methods Request content application/xwww-formurlencoded Post/Get/Put/ Patch/Delete etc. HTTP methods Post/Get/Put/ Patch/Delete etc. Request content application/json or xml Request content application/json or xml Response content application/xhtml +xml, text/html etc. Response content application/json or xml Response content application/json or xml Dec 2013 26
  • 26. Types of Web Application Clients ▶ Web/mobile browsers – Provided as classical software installations resp. in app stores – Run as standalone applications on desktops/laptops (e.g. Chrome, Firefox, IE, Safari) or tablets/smartphones (e.g. Chrome, Firefox mobile, IE Mobile, Safari) – Serve single users, allow to access arbitrary servers on the Web ▶ Browser-based apps – Downloaded from Web applications (scripts in source form) – Executed in Web browsers e.g. AJAX client for GMail access – Serve single users, allow to access a dedicated servers on the Web ▶ Mobile apps – Provided in app stores (binary form) – Run as standalone applications on tablets or smart-phones e.g. GMail app – Serve single users, allow to access a dedicated servers on the Web ▶ Composite applications aka Web server-based apps – Provided by services on the Web – Run in Web or application servers e.g. USPS Tracking (US Postal Service/ Google Maps APIs) – Serve a whole user population, utilize other downstream Web applications Dec 2013 27
  • 27. OAuth 2.0 Clients Taxonomy Web client vs. OAuth Grant Types Browser-based app Mobile app Composite app Authorization code - (client is public) - (client is public) ☺ Implicit ☺ ☺ - ROPC ☺ ☺ - Client credentials - (client is public) - (client is public) ☺ Refresh token ☺ (via ROPC) ☺ (via ROPC) ☺ (via authorization code) JWT/SAML bearer token/assertion ☺ ☺ ☺ Custom N.a. N.a. N.a. Note: Web browsers can not act as OAuth clients (for ROPC they could post OAuth token requests if supported by adequate forms but can not render responses; additional deltas apply for other grant types) Dec 2013 28
  • 28. OAuth 2.0 Clients Best Current Practice Example Google APIs Web client vs. OAuth Grant Types Browserbased app Mobile app Composite app Authorization code - OAuth 2.0 for OAuth 2.0 for Web Installed Applications* Server Applications Implicit OAuth 2.0 for Client-side Applications - - ROPC - - - Client credentials - - - Refresh token - Via authorization code, custom Via authorization code JWT/SAML bearer token/assertion - - OAuth 2.0 for Server to Server Applications Custom - OAuth 2.0 for Devices - *: Requires that the application has access to the system browser or the ability to embed a browser control in the application. Does not match RFC 6749 which classifies mobile apps as public clients which are expected to employ the implicit grant rather than the authorization code grant Dec 2013 29