Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phil Hunt, Hannes Tschofenig

Published byMyrtle Matthews Modified over 6 years ago

Similar presentations

Presentation on theme: "Phil Hunt, Hannes Tschofenig"— Presentation transcript:

1 Phil Hunt, Hannes Tschofenig
OAuth Security Phil Hunt, Hannes Tschofenig

2 Status The charter has a security related item.
In the meanwhile we had produced a more comprehensive threats and security requirements document:

3 Security and Privacy Threats
List of threats is based on NIST Special Publication Token manufacture/modification Token disclosure Token redirect Token reuse Details in Section 3 of

4 Threat Mitigation An important part of the threat mitigation is the protection of the token. This work was done in JOSE, in a separate working group, but originated in the OAuth WG. There are different directions regarding the mitigation of threats. Three broad classes exist: Confidentiality Protection Sender Constraint Key Confirmation RFC 6749 offers a solution to these threats using approach (1). Now, we tackle approach (3).

5 Security Requirements
There are two components that need to be considered: Client<->Authorization Server: Requesting and obtaining keying material and meta-data. Client<->Resource Server: Confirming knowledge of the key

6 Privacy & Security Requirements, cont.
RFC 4962 provides guidance for three party authentication and key exchange protocols. Provides a good starting point. Requirements: Cryptographic Algorithm Independent Strong, fresh session keys Limit Key Scope Replay Detection Mechanism Authenticate All Parties Authorization Keying Material Confidentiality and Integrity

7 Privacy & Security Requirements, cont.
Confirm Cryptographic Algorithm Selection Uniquely Named Keys Prevent the Domino Effect Bind Key to its Context Authorization Restriction Client Identity Confidentiality Resource Owner Identity Confidentiality Collusion AS-to-RS Relationship Anonymity Details are provided in Section 5 of draft-tschofenig-oauth-security-00.txt

8 Suggested Design Approach
Maximum re-use of available OAuth & JSON WG specifications. Develop two alternative solutions based on symmetric as well as asymmetric cryptography. Hard to decide without being able to judge the details. Avoid options as much as possible. Tighten the usage of OAuth 2.0 features. Mandatory client authentication. Mandatory state attribute. Produce running code in parallel to the specification development. Chairs are considering conference calls for faster progress.

9 Strawman Client asks AS for a Token. Additional information, such as
Intended recipient Scope Algorithm indication Authorization Server returns two elements: For Client consumption: Keying material, lifetime, key id, granted scope, and other authorization information relevant for the client. For RS consumption: Access Token (with keying material included). Request and response encoded in JSON and is protected.

10 Strawman, cont. Client needs to demonstrate possession of a secret to the RS. Creates JSON object including key-id, algorithm information, replay protection information. Access Token also provided RS processes request and may derive keying material for subsequent Client<->RS interaction. TLS channel binding support provided, and can be added.

Download ppt "Phil Hunt, Hannes Tschofenig"

Similar presentations

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Small(er) Footprint for TLS Implementations Hannes Tschofenig Smart Object Security workshop, March 2012, Paris.

Small(er) Footprint for TLS Implementations Hannes Tschofenig Smart Object Security workshop, March 2012, Paris.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Internet Engineering Task Force Provisioning of Symmetric Keys Working Group www.oasis-open.org Hannes Tschofenig.

Internet Engineering Task Force Provisioning of Symmetric Keys Working Group Hannes Tschofenig.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23, 2014 1.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
Key Management in Cryptography

Key Management in Cryptography
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.

Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.
OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)

OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

Similar presentations

Ads by Google