Third Party AuthenticationAuthorization HaoLun Hsu Taiwan Evolutionary Intelligence

  • Slides: 31
Download presentation
Third Party Authentication/Authorization Hao-Lun Hsu Taiwan Evolutionary Intelligence Laboratory 2016/12/7 Group Meeting Presentation

Third Party Authentication/Authorization Hao-Lun Hsu Taiwan Evolutionary Intelligence Laboratory 2016/12/7 Group Meeting Presentation

Outline Open. ID OAuth 1. 0 OAuth 2. 0 Other Third Party Authentication/Authorization Conclusion

Outline Open. ID OAuth 1. 0 OAuth 2. 0 Other Third Party Authentication/Authorization Conclusion

Open ID An open standard and decentralized authentication protocol Issued in 2007 傳統上每個網站都要架設自己的帳號密碼系統,對開發 者來說麻煩。

Open ID An open standard and decentralized authentication protocol Issued in 2007 傳統上每個網站都要架設自己的帳號密碼系統,對開發 者來說麻煩。 使用者需要記得各個網站的帳號密碼,不方便管理。 Single-Sign Open On (e. g. NTU SSO) ID is an implementation of SSO

Open ID: Mechanism Terminology: End User: 需要向網站表明身分的人 Identity e. g. NTU SSO Relying e.

Open ID: Mechanism Terminology: End User: 需要向網站表明身分的人 Identity e. g. NTU SSO Relying e. g. Provider(Id. P): 提供Open ID驗證服務的提供者 Party(RP): 要對End User的標識進行驗證的網站 Ceiba

Open ID: Process Flow (A) Access RP (B) Open ID Identifier (C) Discovery (D)

Open ID: Process Flow (A) Access RP (B) Open ID Identifier (C) Discovery (D) Response RP (E) Redirect to Open ID Provider User (E) Access Open ID Provider with Redirect url (F) User Credentials (password) (I) Allow Access (H) (J) Protected Data (H) Redirect to RP with Id. P Credentials Id. P (G) Verify Credentials

Open ID: Security Issue Authentication bug Phishing Authentication hijacking in unsecured connection

Open ID: Security Issue Authentication bug Phishing Authentication hijacking in unsecured connection

Authentication Bug Id. P Fake Request Identity (no ask for the user's email address)

Authentication Bug Id. P Fake Request Identity (no ask for the user's email address) Check Signature Identity with Fake Email Address RP Attacker data R. Wang, S. Chen, X. F. Wang, “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services “, 2012

Phishing malicious RP Access Request fake Id. P Redirect User Credentials Victim

Phishing malicious RP Access Request fake Id. P Redirect User Credentials Victim

Authentication Hijacking in Unsecured Connection Id. P Sniff Authenticate Attacker Identity Access Data with

Authentication Hijacking in Unsecured Connection Id. P Sniff Authenticate Attacker Identity Access Data with Identity Victim Data RP

Authentication Hijacking in Unsecured Connection Use nonces (an number used once): nonces Only Use

Authentication Hijacking in Unsecured Connection Use nonces (an number used once): nonces Only Use works if the user is the first one to use the URL of TLS/SSL in the authentication process

OAuth 有一個第三方應用程式希望存取你的Facebook中的好 友名單,該如何做到? 把你的Facebook帳號密碼交給它嗎? OAuth is an open standard for authorization Let users authorize

OAuth 有一個第三方應用程式希望存取你的Facebook中的好 友名單,該如何做到? 把你的Facebook帳號密碼交給它嗎? OAuth is an open standard for authorization Let users authorize some applications to access their information on the other websites without giving them the passwords Issued in 2007 (OAuth 1. 0), 2009 (OAuth 1. 0 a) and 2010 (OAuth 2. 0)

OAuth 1. 0: Mechanism Terminology: Service e. g. User: Provider: OAuth服務的提供者 Facebook Connect 在Service

OAuth 1. 0: Mechanism Terminology: Service e. g. User: Provider: OAuth服務的提供者 Facebook Connect 在Service Provider上有個帳號的使用者 Consumer: /網站 需要取得User授權,並存取其資源的程式

OAuth 1. 0: Mechanism (A) Obtaining a Request Token (B) Request Token (Unauthorized) (D)

OAuth 1. 0: Mechanism (A) Obtaining a Request Token (B) Request Token (Unauthorized) (D) Authenticate (with Callback URI) (C) Request Token Consumer (E) Redirect User (E) Request Token (Authorized) (F) Obtaining an Access Token (G) Access Token Service Provider

OAuth 1. 0: Security issue 竄改Callback URI: Attacker先初始化一個合法的Request Token,然後誘 騙Victim向這個Request Token授權。竄改Victim向 Service Provider發起的授權請求中的Callback URI,使得

OAuth 1. 0: Security issue 竄改Callback URI: Attacker先初始化一個合法的Request Token,然後誘 騙Victim向這個Request Token授權。竄改Victim向 Service Provider發起的授權請求中的Callback URI,使得 授權過後的Request Token轉到Attacker指定的網站。 Attacker再將已授權的Request Token送回Consumer完成 授權流程。

OAuth 1. 0 a: Mechanism (A) Obtaining a request token (with callback url) Signature

OAuth 1. 0 a: Mechanism (A) Obtaining a request token (with callback url) Signature (B) Request token (Unauthorized) (D) Authenticate (with callback url) (C) Request token Consummer User (E) Redirect (E) Request token (Authorized) (with verifier) (F) Obtaining an access token (with verifier) (G) Access token Verify cb url Service Provider

OAuth 1. 0 a: Disadvantage Unfriendly 2. 0: to non-browser based applications new ways

OAuth 1. 0 a: Disadvantage Unfriendly 2. 0: to non-browser based applications new ways for an application to get authorization for a user Signature: 2. 0: Life complicate to developer Use SSL/TLS of access tokens are too long 2. 0: short-lived access token and refresh token

OAuth 2. 0 Terminology: Resource Owner: 可以授權別人去存取 Protected Resource Server: 存放 Protected Resource 的伺服器。根

OAuth 2. 0 Terminology: Resource Owner: 可以授權別人去存取 Protected Resource Server: 存放 Protected Resource 的伺服器。根 據 Access Token 來接受 Protected Resource 的請求。 Client: 代表 Resource Owner 去存取 Protected Resource 的應用程式。 Authorization Server: 授權服務的提供者。

OAuth 2. 0: Abstract Protocol Flow Authorization Request Resource Owner Authorization Grant Client Access

OAuth 2. 0: Abstract Protocol Flow Authorization Request Resource Owner Authorization Grant Client Access Token Authorization Server Access Token Protected Resource Server

OAuth 2. 0: Mechanism There are 4 grant types: Authorization Implicit Grant Flow Resource

OAuth 2. 0: Mechanism There are 4 grant types: Authorization Implicit Grant Flow Resource Client Access Code Grant Flow Owner Password Credentials Grant Flow token: a string identifier, Refresh scope, expired time… token: to obtain a new access token

Authorization Code Grant Flow (B) (A) Client Identifier, Scope, Redirection URI User Agent (B)

Authorization Code Grant Flow (B) (A) Client Identifier, Scope, Redirection URI User Agent (B) User authenticates (C) Authorization Code Authorization Server Resource Owner (A) (C) (D) Client ID, Authorization Code, Redirection URI Client (E) Access Token, Refresh Token(optional)

Authorization Code Grant Flow Authorization Server 先取得 Grant Code 再取得 Access Token (兩步)。 要向

Authorization Code Grant Flow Authorization Server 先取得 Grant Code 再取得 Access Token (兩步)。 要向 Confidential Clients ,如部署在 Server 上面的應 用程式。 適合 需要 User-Agent Redirection。 Security issue: Authorization Code 被� : Use TLS Authorization Code 被二度利用: Code要短時效、一次性 竄改 Redirection URI: 事先設定 Redirection URI 並驗證

Implicit Grand Flow (A) Client Identifier, Scope, Redirection URI (B) User authenticates (C) Redirection

Implicit Grand Flow (A) Client Identifier, Scope, Redirection URI (B) User authenticates (C) Redirection URI with Access Token in Fragment (A) Client Authorization Server User Agent (D) Redirection URI without Fragment (E) Script (F) Access Token (B) Resource Owner Web-Hosted Client Resource

Implicit Grand Flow Authorization (一步)。 Server 直接向 Client 核發 Access Token 適合非常特定的 Public Clients

Implicit Grand Flow Authorization (一步)。 Server 直接向 Client 核發 Access Token 適合非常特定的 Public Clients ,例如跑在 Browser 裡 面的應用程式。 Authorization Server 不必(也無法)驗證 Client 的身 份。 禁止核發 Refresh Token。

Resource Owner Password Credentials Grant Flow (A) Resource Owner Password Credential Client Resource Owner

Resource Owner Password Credentials Grant Flow (A) Resource Owner Password Credential Client Resource Owner (B) Resource Owner Password Credential (C) Access Token, Refresh Token (optional) Authorization Server

Resource Owner Password Credentials Grant Flow 風險較高,因為會讓Client看到帳號密碼(一個不 必要的行為)。 Resource Owner 沒辦法控制Client要求授權的範 圍。 Owner 高度信賴

Resource Owner Password Credentials Grant Flow 風險較高,因為會讓Client看到帳號密碼(一個不 必要的行為)。 Resource Owner 沒辦法控制Client要求授權的範 圍。 Owner 高度信賴 Client ,例如 作業系統內建的應用程式。 只適合Resource e. g. HTC sense 存取 Facebook

Client Credentials Grant Flow (A) Client Authenticate Authorization Server Client (B) Access Token Client

Client Credentials Grant Flow (A) Client Authenticate Authorization Server Client (B) Access Token Client 自己就是 Resource Owner ,Client 取用的是自己擁有 的 Protected Resources。

Other Third-Party Authentication/Authorization Open ID Connect (OIDC) 身分認證 + OAuth 2. 0 提供RP有關認證者的資料 SAML

Other Third-Party Authentication/Authorization Open ID Connect (OIDC) 身分認證 + OAuth 2. 0 提供RP有關認證者的資料 SAML An XML-based, open-standard data format for exchanging authentication and authorization data between parties 可以跟Open. ID e. g. NTU SSO 合用

Open ID OAuth 2. 0 Open ID Connect V (Facebook Connect) Facebook Google V

Open ID OAuth 2. 0 Open ID Connect V (Facebook Connect) Facebook Google V (No longer supported since 2015) V V Yahoo V V V Microsoft V IBM V Twitter V V (Azure AD Connect) V (Blue ID) V

Conclusion Open ID and OAuth are widely used nowadays. Understanding these standards helps us

Conclusion Open ID and OAuth are widely used nowadays. Understanding these standards helps us figure out how applications which can be signed in with your Facebook/Google accounts work.

Reference Wikipedia: https: //en. wikipedia. org/wiki/Open. ID https: //en. wikipedia. org/wiki/OAuth Stackoverflow: http: //stackoverflow.

Reference Wikipedia: https: //en. wikipedia. org/wiki/Open. ID https: //en. wikipedia. org/wiki/OAuth Stackoverflow: http: //stackoverflow. com/questions/4113934/how-is-oauth-2 -different-from-oauth-1 http: //stackoverflow. com/questions/23780909/why-does-the-implicit-authorization-grant-in-oauth-require-aweb-hosted-client http: //stackoverflow. com/questions/14574846/client-authentication-on-public-client https: //spin. atomicobject. com/2016/05/30/openid-oauth-saml/ http: //openid. net/connect/ http: //huoding. com/2011/11/08/126 https: //blog. yorkxin. org/2013/09/30/oauth 2 -1 -introduction https: //tools. ietf. org/html/rfc 6749 https: //oauth. net/core/1. 0/ https: //oauth. net/core/1. 0 a/