40
The State of Authenticating RESTful APIs @rob_winch

State of Authenticating RESTful APIs

Embed Size (px)

Citation preview

Page 1: State of Authenticating RESTful APIs

The State of Authenticating RESTful APIs

@rob_winch

Page 2: State of Authenticating RESTful APIs
Page 3: State of Authenticating RESTful APIs

Authentication

Page 4: State of Authenticating RESTful APIs

4

Naïve approach…

https://api.example.com?username=rob&password=secret

Page 5: State of Authenticating RESTful APIs

5

Naïve approach…

https://api.example.com?username=rob&password=secret

Page 6: State of Authenticating RESTful APIs

“ Come on Bender. It's up to you to make your own decisions in life. That's what's separates people and robots from animals .. and animal robots!Fry

Futurama

Page 7: State of Authenticating RESTful APIs

7

RFC-7231 Sensitive Information

“ Authors of services ought to avoid GET-based forms for the submission of sensitive data …

- RFC-7231: Section 9.4

Page 8: State of Authenticating RESTful APIs

Basic Authentication

Page 9: State of Authenticating RESTful APIs

Basic Authentication

Page 10: State of Authenticating RESTful APIs

Digest Authentication

Page 11: State of Authenticating RESTful APIs

Transport Layer Security (TLS)

• Confidentiality• Integrity

Page 12: State of Authenticating RESTful APIs
Page 14: State of Authenticating RESTful APIs
Page 15: State of Authenticating RESTful APIs

https://letsencrypt.org/

https://letsencrypt.org/

Page 16: State of Authenticating RESTful APIs

TLS Performance

• Computational overhead• Latency overhead• Cache

Page 17: State of Authenticating RESTful APIs

Adam Langley, Google

“On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10

KB of memory per connection and less than 2% of network overhead.

https://goo.gl/IYJrqv

Page 18: State of Authenticating RESTful APIs

Doug Beaver, Facebook

“We have found that modern software-based TLS implementations running on commodity CPUs are fast

enough to handle heavy HTTPS traffic load without needing to resort to dedicated cryptographic hardware.

https://goo.gl/pf8Xwh

Page 19: State of Authenticating RESTful APIs

Jacob Hoffman-Andrews, Twitter

“HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU

usage.

https://goo.gl/Re0ijb

Page 20: State of Authenticating RESTful APIs

TLS Optimize

• TLS Resumption• Latency• Online Certificate Status Protocol (OCSP)• Cloudflare

20

Page 21: State of Authenticating RESTful APIs

21

Optimizing TLS

Is TLS Fast Yet.com

Page 22: State of Authenticating RESTful APIs

HTTP Basic over HTTPS?oclHashcat

Hash Type Speed

MD5 115.840 Bh/s

SHA1 37.336 Bh/s

SHA256 14.416 Bh/s

SHA512 4.976 Bh/sUbuntu 14.04, 64 bit

ForceWare 346.298x NVidia Titan X

Page 23: State of Authenticating RESTful APIs

23

Introduce Sessionusername=winch&name=Rob+Winch

Page 24: State of Authenticating RESTful APIs

24

Encrypting the Session

Base64(IV, aes_cbc(k,IV,plainText))

• k – a secret key only known to server• aes_cbc – encrypts the plainText using AES/CBC with the

provided IV• plainText – format of username=winch&name=Rob+Winch

Page 25: State of Authenticating RESTful APIs

Your handwriting is atrocious,not encrypted

Page 26: State of Authenticating RESTful APIs

Introduce Session

username=winch&name=Rob+Winch

username=admin&name=Rob+Winch

Can change properly encrypted value below:

To have the following Plaintext

https://goo.gl/2Uio0W

Page 27: State of Authenticating RESTful APIs

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

JWT Encoded

Header{ "alg": "HS256", "typ": "JWT”

}

Payload{ "sub": "1234567890", "name": "John Doe", "admin": true}

Page 28: State of Authenticating RESTful APIs

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “secret”)

JWT Signature

Page 31: State of Authenticating RESTful APIs

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.

JWT Encoded

Header{ "alg": "none", "typ": "JWT”

}

Payload{ "sub": "1234567890", "name": "John Doe", "admin": true}

Page 32: State of Authenticating RESTful APIs

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. EkN-DOsnsuRjRO6BxXemmJDm3HbxrbRzXglbN2S…

JWT Encoded

Header{ "alg": "RS256", "typ": "JWT”

}

Payload{ "sub": "1234567890", "name": "John Doe", "admin": true}

Page 33: State of Authenticating RESTful APIs

RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), Private RSA Key)

Creating RSASHA256

Page 34: State of Authenticating RESTful APIs

RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), provided signature, Public RSA Key)

Verifying RSASHA256

Page 35: State of Authenticating RESTful APIs

Header{ "alg": "HS256", "typ": "JWT”

}

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), RSA Public Key)

JWT Signature

Page 36: State of Authenticating RESTful APIs
Page 37: State of Authenticating RESTful APIs

“… each request from client to server must contain all of the information necessary to understand the

request, and cannot take advantage of any stored context on the server.

- Roy Fielding, Architectural Styles andthe Design of Network-based Software Architectures

http://goo.gl/MzVy0V

Roy Fielding

Page 38: State of Authenticating RESTful APIs

Representational STATE transfer

“ … session state can be transferred by the server to another service such as a database to

maintain a persistent state for a period and allow authentication

- Wikipedia

http://goo.gl/bd33t7

Page 39: State of Authenticating RESTful APIs
Page 40: State of Authenticating RESTful APIs

Summary

• Do NOT place sensitive information in URL• Use HTTPS everywhere• Use “cached” credentials• Security prefers State

@rob_winch

Presentation Available at https://goo.gl/QTfCCW