1 / 16

API Authentication and Authorization Protocols

API Authentication and Authorization Protocols. David Lee and Yating Hsu The Ohio State University Feb. 2, 2010 (Dagstuhl Seminar). Project. Protocol System Fingerprinting [1] G. Shu and D. Lee, “Network Protocol System Fingerprinting - A Formal Approach”, IEEE Infocom 2006

bonnie
Download Presentation

API Authentication and Authorization Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. API Authentication and Authorization Protocols David Lee and Yating Hsu The Ohio State University Feb. 2, 2010 (Dagstuhl Seminar)

  2. Project • Protocol System Fingerprinting [1] G. Shu and D. Lee, “Network Protocol System Fingerprinting - A Formal Approach”, IEEE Infocom 2006 [2] G. Shu and D. Lee, "A Formal Methodology for Network Protocol Fingerprinting", IEEE Trans. on Parallel and Distributed Systems, 2010

  3. Project • Network Malicious Nodes Conviction N. Li and D. Lee, “Network Court Protocol and Malicious Node Conviction”, IEEE ICNP 2007

  4. Project • Protocol Implementation Security Flaw Detection Y. Hsu, G. Shu and D. Lee, “A Model-based Approach to Security Flaw Detection of Network Protocol Implementations”, IEEE ICNP 2008

  5. Project (in progress) • Anonymous Content Delivery (Funded by AT&T)

  6. Project (in progress) • Federated Protocol authentication and authorization (funded by Google)

  7. API Authentication and Authorization • Valet key for the web • A photo printing service website prints user’s photos stored at another website. • User authorizes the photo printing website to access photos without sharing his password ? Photo printing website Web album username/password

  8. API Authentication Protocols • Three party authentication • Service Provider: web album • Consumer: photo printing service website • User • A method for the User to grant Consumer access to the data stored at Service Provider • Through the API defined by Service Provider • AOL OpenAuth, Yahoo! BBAuth, Flicker API, Amazon Web Services API • OAuth: an attempt to standardize API authentication protocols by Google et al

  9. OAuth Workflow • Part I • User visits the Consumer (photo printing service website) to request for a service (order prints) • Consumer request a Request Token from the Service Provider • Service Provider grants Consumer a Request Token 2 3 Consumer Service Provider 1 User

  10. OAuth Workflow • Part II • Consumer redirects User to Service Provider’s User Authorization URL with the Request Token • User signs in at Service Provider; Service Provider authenticates User and asks his authorization for access by Consumer • Service Provider redirects User back to Consumer with the Request Token authorized Consumer Service Provider 5 6 6 4 User

  11. OAuth Workflow • Part III • Consumer uses authorized Request Token to exchange it for Access Token. • Service Provider grants Consumer Access Token • Consumer uses Access Token to access Protected Resources (photos). 7 8 Consumer 9 Service Provider User

  12. Formal Model of OAuth • Model OAuth with Communicating Extended FSM • Each communicating principal is an EFSM • Service Provider: 4 states, 5 transitions, 3 variables • Consumer: 5 states, 6 transitions, 3 variables • User: 3 states, 4 transitions, 2 variables • Attacker model • Restricted Dolev-Yao model • Only injects valid OAuth messages that are executable • Secure/insecure interfaces (HTTPS/HTTP)

  13. Analysis of Security Properties • Unauthorized access of protected resources • Reachability graph and online minimization • Attacker involvement • Attack traces

  14. Verification Method • Each step of normal protocol run is A1, A2, …, A12 • The attacker can also take the 12 steps: B1, B2, …, B12 • Represent attacker’s operation by C0, C1, …, C12, where Ci is a set of sequences of actions from {B1, B2, …, B12} in an arbitrary order C12 C0 A1 A12 …

  15. Goals • Rediscover known security flaws • Session Fixation attack of OAuth 1.0 was found • OAuth 1.0A was announced to address this attack • Find unknown security flaws • Or prove OAuth 1.0A is secure

  16. General Problems • Multiple Users and Consumers • Protocols • Security Properties • Federated Authentication Protocols • OpenID • Universal Single Sign-in • Roaming Access • ……

More Related