OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security Steve Ko Computer Sciences and Engineering University at Buffalo.

IETF OAuth Proof-of-Possession

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Principles of Information Security, 2nd edition1 Cryptography.

Internet Engineering Task Force Provisioning of Symmetric Keys Working Group Hannes Tschofenig.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

May 21, 2002Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.

DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 30 Message Security, User Authentication, and Key Management.

SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 29 Internet Security.

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

Secure Web Services Arvind Easwaran CIS/TCOM 551 Spring 2004 Slide Set 7.

Using Public Key Cryptography Key management and public key infrastructures.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:

Web Authorization Protocol (oauth) Hannes Tschofenig.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

CIA AAA. C I A Confidentiality I A Confidentiality Integrity A.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Security. Cryptography (1) Intruders and eavesdroppers in communication.

MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.

CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.

Fundamentals of Network Security Ravi Mukkamala SCI 101 October 6, 2003.

IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Hannes Tschofenig, Derek Atkins

OAuth WG Conference Call, 11th Jan. 2013

Phil Hunt, Hannes Tschofenig

Computer Communication & Networks

Chairs: Derek Atkins and Hannes Tschofenig

Agenda OAuth WG IETF 87 July, 2013.

IETF103 Bangkok Web Authorization Protocol (OAuth)

OAuth Design Team Call 11th February 2013.

Token-based Authentication

IETF102 Montreal Web Authorization Protocol (OAuth)

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

OAuth Security Hannes Tschofenig Derek Atkins

State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements) and in Appendix 4 (Use Cases) of v2-http-mac-05http://tools.ietf.org/html/draft-ietf-oauth- v2-http-mac-05 Two solution approaches documents available in the group: – MAC Token: draft-ietf-oauth-v2-http-mac-05draft-ietf-oauth-v2-http-mac-05 – HOTK: draft-tschofenig-oauth-hotk-03draft-tschofenig-oauth-hotk-03

I Client Authorization Server Resource Server II III

I Client Authorization Server Resource Server II III

I: Key Distribution AS Client Variants: – Key Distribution at Token Issuance – Key Distribution at Registration Approaches: – Server-provided key – Client-provided key – Joint key control / key agreement Examples: – Section of HOTK for asymmetric keys – Section 4.1 of MAC Token for symmetric keys

Lifetime Hierarchy OauthKerberos Client Secret / AssertionsLong-term Username/Passwd Refresh TokensTicket Granting Ticket Access Token-based keyService tickets

I Client Authorization Server Resource Server II III

II: Client RS Interaction Components: a)Proof of possession of client key b)Message integrity / Channel Binding c)Server-to-client authentication a)As part of TLS b)Custom application-layer solution Examples: – Section 5 of MAC Token for symmetric keys (encoded as HTTP header) – Section of HOTK for asymmetric keys – Section of HOTK for symmetric keys (encoded as JSON structure)

I Client Authorization Server Resource Server II III

III: Key Distribution AS RS Variants: a) Embedded key b) Token introspection c) Out-of-band Examples: Ad a) Section 4.2 of HOTK Ad b) draft-richer-oauth-introspection Ad c) PKI

Next Steps: Document Restructuring Use Cases, Requirements and Design Rational – Currently in the appendix of MAC Token – Update to reflect new use cases Key Distribution AS Client – Cover symmetric as well as asymmetric case Client RS Communication – Section 5 of MAC Token & Section 3.2 of HOTK. – Includes keyed message digest/signature calculation algorithm. – Includes binding to transport – Includes JSON structure. Token introspection Encoding of PoP in JWT (symmetric & asymmetric)