QCon - New York. New York 18th June 2012 (June 18th for Americans)

Transcription

1 QCon - New York New York 18th June 2012 (June 18th for Americans) 1

2 John Davies An ageing Über-geek Hardware, Assembler, C, Objective-C, C++, OCCAM, SmallTalk, Java Worked mostly in trading systems, FX & Derivatives Head of trading systems at Paribas, head of architecture at BNP Paribas, global head of architecture at JP Morgan Author of Learning Trees Enterprise Java courses & co-author of several Java & architecture books Co-founder of C24 Solution in 2000 Sold to Nasdaq s Iona Technologies in 2007, Iona sold to Progress Software in 2008, Technical Director of both companies Co-founded Incept5 in 2008, re-acquired C24 from Progress in April 2011 CTO of Incept5 & C24 Original technical architect behind Visa s V.me (pre-public release) 2

3 I m a Hacker Why am I talking about Social Media OAuth in a Security track? I work in banking and payments, security is top, TOP priority Understanding how security works (or doesn t) is key to being able to provide better measures against malicious hackers Only by understanding how malicious hackers do their dirty work can we hope to protect our application and systems So yes, I hack in the exploratory sense of the word OAuth is an important tool in today s increasingly mobile and social world 3

4 Agenda Signup and Password Hell Passwords, Hashes and Leaks Pass phrases OAuth Hooking up an app with Facebook OAuth & Security 4

5 One password or multiple? One single username and password would make our lives a lot easier Assuming it s a good password of course But then if it were breached, the hacker gets access to everything :-( If you add better security it might work Something you own perhaps, a phone? Access from a specific IP address etc. But then when you lose it, you re locked out of everything And in practice they re not really that secure 5

6 Multiple Passwords So we re back to unique passwords for every single system we use Every new app seems to want you to provide new credentials, first the username... You enter you username jdoe, immediately you re told it s not free You try johndoe, taken, why not try johndoe367? You settle with bigjohndoe Then the password... xxxxxx - Password must be minimum 8 chars xxxxxxxx - Password must contain a number xxxnxxxx - Password must contain at least one uppercase character XxxNxxxx - Password must contain a punctuation character 6

7 Password Hell Finally you find a password that works in most places John1985! Then you have to change it a month later OK, you can t change your name or date of birth so now what? You end up writing it down or entering it into your phone s notes Not very secure! Don t fight it, you need multiple passwords 7

8 Password security Most people use common words as passwords, names, numbers, combinations of the two, letter/number substitutes These are incredibly easy to hack John, BigJohn, John1234, J0hni234, B1gJ0hn Take almost any combination of 6-8 characters, any word (in any language), any two words, any word with a number Someone will have hashed it and added it to a rainbow list Try it, take your password, hash it with MD5 and SHA and then google the result If you find it, you might as well not have a password (almost) 8

9 Getting the hash... Some easy methods... perl -e 'print qw(password)' shasum > 8be3c943b1609fffbfc51aad666d0a04adf83c9d perl -e 'use Digest::MD5 qw(md5_hex); print md5_hex('password'), "\n";' > dc647eb65e6711e b3964 In Java/Scala use java.security. MessageDigest.getInstance("MD5"); java.security.messagedigest.getinstance("sha-1"); Now Google the hashes or paste them into something like

10 Was your password leaked by LinkedIn? Two weeks ago it was announced that someone had released 6.4 million passwords from LinkedIn Then is was eharmony, Last.fm and others It doesn t matter how well you guard your 8 character password, if some idiot at LinkedIn stores it unsalted and that gets out, you re hacked You MUST have a secure password with NO words Use a generator 1Password is a good solution 10

11 Nepephemeral An open-source password manager Inspired (accelerated) after the LinkedIn leak First public release in the next few days - OS-X and then Windoze iphone & Android in the near future Most password managers store everything in a database encrypted by a master password/phrase e.g. 1Password, LastPass etc. Disadvantage is that you re only one password from everything falling into the hands of a hacker Not just your Facebook login but your bank account and card pins 11

12 Nepephemeral Nepephemeral does not store passwords It automates the generation of strong passwords from pass phrases It also manages common password rotation tasks Allowing multiple unique passwords from a single pass phrase No need to memorise a new password every 30 days A pass phrase is a sequence of words or prose that is easy for you to remember and hard for someone else to guess Statistically even a short pass phrase is much harder to guess than the average 8 character password 12

13 Pass phrases First the password: Tr0ub4dor&3 Roughly 28 bits of entropy (228 =268,435,456) at 10k/sec that s 7 hours Difficulty to crack: EASY Difficulty to remember: DIFFICULT Now a pass phrase: correct horse battery staple About 44 bits of entropy (244 =over 17 trillion) at 1m/sec that s over 200 days! Difficulty to crack: HARD Difficulty to remember: You already have 13

14 If you re interested... Nepephemeral uses this fact to create passwords that can pass the Draconian passwords that most sites use While giving you a simple pass phrase that is easy to remember without compromising on security 14

15 Authorisation or Authentication? Authentication validates who you are, it can be in several levels. Just a name, a name and a password, a name, password and something secure, all of the above, a retina scan and a DNA sample Authorisation dictates what you can do, the higher levels may require a better level of authentication Access to your QCon badge, your hotel key, a seat on a plane or access into the Federal Reserve Bank or Fort Knox Both are interlinked, there s little point in a retina scan and DNA sample to get your QCon badge 15

16 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 16

17 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID 16

18 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 16

19 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 3 User is redirected to OP where he/she authenticates (usually a password) 16

20 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 3 User is redirected to OP where he/she authenticates (usually a password) OP redirects back to RP and user is authenticated 4 16

21 OpenID OpenID is an open standard for decentralised authentication A user can signup with an OpenID provider (OP) and then use that provider as an authority for any web site (relying party or RP) participating in OpenID authentication Web Site / App (RP) User OpenID Provider (OP) 1 RP asks user for OpenID User returns OpenID 2 3 User is redirected to OP where he/she authenticates (usually a password) OP redirects back to RP and user is authenticated 4 OpenID says who you are not what you can do 16

22 OAuth "OAuth provides a way to grant access to your data on some website to a third website, without needing to provide this third website with your authentication information for the original website." What this means for example is that you could grant me access to some of your Facebook / Twitter / Google account without me having to know your username and password You can limit my access to certain parts of you account A good example would be a third party Facebook, Twitter or Google+ reader Normally you wouldn t want to trust the app developer with your username and password 17

23 OAuth 1.0 & 2.0 OAuth 2.0 was a replacement of OAuth 1.0, the latter was overly complex and difficult to implement due to the need for certificates etc. The spec can be found here... OAuth 2.0 does not require certificates, only SSL/TLS This makes it more flexible, i.e. the token can be portable Used wrongly though it can create a security issue 18

24 Authentication In theory you can use OAuth to authenticate a user, you don t necessarily need to get data from the authoriser s site This is authentication, NOT authorisation, it just confirms that you are who you say you are, as far as Facebook/Twitter etc. knows you It is very similar to the way OpenID works in this case You might want this to provide a common login across multiple apps Helps the user create an account without a new username/password Facilitates Identity management Authorisation, i.e. what the user can/can t do is still your problem 19

25 OAuth 2.0 User logs into game / application via Facebook or Twitter Game / Application Game / application can access data on Facebook or Twitter Facebook, Twitter, Google etc. 20

26 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 21

27 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup 21

28 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 21

29 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login 21

30 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 21

31 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 21

32 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret 21

33 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 7 21

34 OAuth 2.0 Initial Login User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook 2 3 User directed to Facebook login Facebook redirects to your redirect URI with authentication code 4 5 Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 7 8 User is now logged in 21

35 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in

36 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 22

37 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 22

38 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data 22

39 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data Data accessed 12 22

40 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data Data accessed 12 Facebook returns requested data 13 22

41 OAuth 2.0 Data Request User Browser or App Your Server Twitter, Facebook or Google etc. User Data 1 Startup You need to login via Facebook User directed to Facebook login Facebook redirects to your redirect URI with authentication code Browser redirects to redirect URI 6 Server sends user authentication code, ID and user secret Returns access token 8 User is now logged in User requests data via app / browser 10 Server requests data with token 11 Facebook accesses data Data accessed 12 Facebook returns requested data 13 User sees data 14 22

42 OAuth in Facebook is very easy Compared to the complexity of OAuth 1.0 on iphone using Facebook is wonderfully easy Facebook has provided open libraries you can link in to your code git://github.com/facebook/facebook-ios-sdk.git It effectively does all the OAuth stuff for you, all you need to do is create (register) an app on Facebook... and write a few callbacks / delegate methods 23

43 Registering the app You just need the App ID and App Secret You can then use this in your application for authentication Once your client has authed you can use the token on the phone or a server 24

44 XCode... 25

45 The Login callback When the Facebook web/app login returns it calls our fbdidlogin method 26

46 Server Delegation It s easy to authenticate and login from the phone but the we may want our own server in the loop We could run everything though the phone and back to the server but that s unnecessary bandwidth (cost and latency) So ideally we would want the server to communicate with Facebook The token is portable We can send it to the server which can become a proxy for our mobile app. Effectively we can transfer privileges Useful but how safe is this? The token is now a new (portable) key to Facebook It s worth noting that Twitter doesn t allow this 27

47 In a nutshell then You need unique and good passwords Ideally generated and ideally will over 8 characters in length While password management tools are a good start they present a new risk One you may be happy with but not one a company should accept OAuth on Facebook, Google, Twitter etc. is becoming a defacto tool for SSO Not just for the data they contain but also just authentication OAuth creates a whole new realm of security issues 28

48 Thank you Thank you 29